At first part From this two-part series on Key Management, we saw how a growing number of organizations are encrypting their confidential data to mitigate cybersecurity risks. As mentioned earlier, with increasingly sophisticated cybercriminals, simply encrypting the data is not enough.
With data encryption, the risk is transferred from the data to the encryption keys and, to ensure optimal data protection, organizations must ensure that their encryption keys are managed and protected efficiently at each stage of their Lifecycle.
In this part, we will cover the various benefits of centralizing your key management and guide you on how to adopt key management for your organization.
Centralized key management
When it comes to securely storing the encryption keys, three pertinent questions must be addressed:
1. Where are the keys stored: in third-party applications, in the cloud (private, public or hybrid) in a heterogeneous environment that supports multiple databases?
2. Are the keys protected with solid access management mechanisms that prevent unauthorized access?
3. Does your key security approach comply with the legal mandates of regulatory bodies?
As more and more data is encrypted, the reliance on encryption keys increases and the protection of all keys (throughout their life cycle) becomes a challenge. The task becomes more daunting in an environment where organizations use different provider systems that generate their own keys.
In addition, as encryption keys undergo many changes throughout their life cycle, such as creation, version control, distribution, rotation, storage, archiving, backup and, Ultimately, the destruction, the management of the keys in each moment of its life cycle becomes critical.
This is where centralized key management is useful. With the inherent ability to securely store and manage all encryption keys in a centralized and secure manner, organizations can see, control and uniformly manage the encryption keys of all their confidential data, whether they reside in the cloud , in storage, in Databases, or practically anywhere else.
The main key management solutions (KMS) can transparently manage keys through heterogeneous encryption platforms and offer broad support for the Key Management Interoperability Protocol (KMIP) standard, as well as for proprietary interfaces , which facilitates the administration of a disparate set of encryption keys.
In addition to secure storage and management, another important aspect of centralized key management is key governance. The simple fact of storing and managing the keys is not enough, but ensuring the administration of access to all tests is equally important. Centralized key management allows for adequate key governance, even when data and people move from one department to another within the organization.
Requirements for the efficient management of centralized keys
Now that we understand why organizations should adopt centralized key management to ensure optimal data protection, let's take a look at the three important requirements for centralized key management to work without problems:
1. Key management server
At the heart of any good Key Management Solution is a FIPS 140-2, tamper-resistant hardware server, resistant to intrusions, certified at Level 3 (also known as Hardware Security Module or HSM) that performs the important role of creating, storing, recovering, rotating, archiving and deleting encryption keys.
This server also facilitates seamless communication with all other applications (both internal and external) through native encryption using the Key Management Interoperability Protocol (KMIP).
Here are three important points that organizations should consider when selecting a key management server:
(1) Adhesion to Regulatory Compliance
The server must comply with the federal security requirements that require the destruction of all stored encryption keys upon detection of a forced entry.
(2) Role management
The server must have integrated role management features that provide separation of tasks between various user roles with useful tools for assigning / removing roles quickly. As more and more data is encrypted, which leads to an increasing reliance on encryption keys, role management becomes a crucial feature for any organization.
The server must be able to interoperate consistently with other enterprise applications by providing access to its user interface through APIs, web services, and encryption connectors.
As a good practice, organizations should:
(a) Store all the encryption keys (and not just the Trust Root Master Key) on the hardware server.
(b) Ensure that the autorotation and version control of the keys are performed according to a predefined program without any downtime during the key rotation process, and
(c) Make sure that the white list of the IP address occurs within the secure hardware server itself.
2. Key management policies
As seen in our previous publication, a key management policy (KMP) is a predefined set of rules that cover the objectives, responsibilities and general requirements for securing and managing the encryption keys of an organization.
While a key management server can centrally manage all encryption keys and apply established policies, you can not create a KMP on its own. The responsibility for discarding an integral KMP lies with the organization's IT and Cybersecurity Chiefs, such as the Director of Information Security (CISO), the Director of Risks (CRO), etc., who are responsible for ensuring the adoption of the KMPs for data protection. The "lack of ambiguity" is one of the most important pillars of a good KMP that guarantees that there are no misunderstandings when accessing encryption keys. For example, a KMP can state unequivocally that employees of a business unit or department can not access the encryption keys of another unit, or that access to the keys can only be granted through the corporate LAN.
3. Key management processes
Key management processes are a series of diverse processes such as inputs, activities and products that are fundamental for centralized key management.
These processes help users to use the KMP of their organization and can be automated or implemented manually. For example, depending on the sensitivity of the data that will be accessed, the Key Management Process can instruct users to connect through a VPN or through the corporate LAN.
How Gemalto helps to centralize key management
As a world leader in enterprise key management, organizations around the world adopt Gemalto's SafeNet KeySecure key to centralize and manage their encryption keys.
SafeNet KeySecure, available as a hardware device or virtual security device, is a secure centralized, plug-and-play, key management platform that can be deployed quickly in physical, virtualized infrastructure and public cloud environments.
SafeNet KeySecure also comprehensively supports data encryption and key management of a diverse set of databases such as Oracle, IBM DB2, Microsoft SQL, Mongo DB, etc., and easily supports the generation, storage and Export of keys in a Bring-Your-Own-Key (BYOK) key environment of players in the cloud such as Microsoft Azure, Amazon Web Services, etc.
Below is a brief snapshot of the ecosystem of diverse integrations that Gemalto SafeNet KeySecure supports:
For organizations that have already invested in HSM devices, Gemalto offers a low-cost virtual key management solution: SafeNet Virtual KeySecure that centralizes all cryptographic processing and provides scalable key management in remote installations or cloud infrastructures such as VMware or AWS Marketplace.
To summarize it
With the increase in incidents of cyber attacks and data breaches, neither the front-line defense mechanisms are sufficient, nor the simple data encryption. To protect sensitive data, organizations must not only protect their encryption keys from unauthorized access, but they must also efficiently manage them through a highly scalable and cutting-edge key management solution. Learn more about Business key management and how you can help your organization efficiently manage its encryption keys.
*** This is a syndicated blog of the Security Bloggers Network of Business Security – Gemalto Blog written by Ved Prakash. Read the original publication at: https://blog.gemalto.com/security/2019/04/15/understanding-key-management-policy-part-2/