A major problem with encryption as a security method is that the distribution, storage, and eventual disposal of keys introduce an expensive and onerous administrative burden. Historically, cryptographic keys were delivered by escorted couriers carrying keys or key books in secure boxes. An organization must follow strictly enforced procedures for protecting and monitoring the use of the key, and there must be a way to change keys. Even with all of these restrictions, there is always a chance that the key will be compromised or stolen. Even if there are standards developed for key-management it is still the most difficult part of an encryption solution. This is one of the greater challenges to overcome when you decide to create your own solution based on encryption toolkits from database vendors and security vendors. These toolkits provide the basic functionality for encrypting and decrypting information but typically do not provide a secure key-management system. Many companies have tried to develop their own encryption functionality, but few have succeeded in creating a system that performs not only by doing the obvious encryption, but doing so in a secure and reliable manner that does not prohibit you from keeping your systems operational. A mature data protection system should be based on a sophisticated key management system that is transparent, automated, secure and reliable for the environments where it operates.
A distributed approach with a central point of control
A mature data protection system should provide a central point of control for data protection systems at the application, database and file levels. The encryption solution has a combined hardware and software key management architecture which combine the benefits of each technology. This will address the central security requirements while providing the flexibility to allow security professionals to deploy encryption at the appropriate place in their infrastructure. It provides advanced security and usability smooth and efficient implementation into today’s complex data storage infrastructures. If your human resources department locks employee records in filing cabinets where one person is ultimately responsible for the keys, shouldn’t similar precautions be taken to protect this same information in its electronic format? One easy solution is to store the keys in a restricted database table or file. But, all administrators with privileged access could also access these keys, decrypt any data within your system, and then cover their tracks. Your database security in such a situation is based not on industry best practice, but on trusting your employees. When securing the sensitive data within your organization trust is not a policy. The key custodian should be a role in the IT organization.
The key custodian
The key custodian is responsible for managing the multi-layer key management infrastructure, including the creation of keys, distribution of replacement keys and the deletion of keys that have been compromised. The custodian should be appointed by the Compliance Review Committee. Access to central key management functions should require a separate and optional strong authentication and management of encryption keys should be logged in an evidence-quality audit system. Keys stored in the Hardware Security Module are protected from physical attacks and cannot be compromised even by stealing the Hardware Security Module itself. Any attempt to tamper with or probe the Hardware Security Module will result in the immediate destruction of all private key data, making it virtually impossible for either external or internal hackers to access this vital information. Encryption of the application data should be performed by an Enforcement Agent that should be implemented as a Dedicated Encryption Service (Please see my article in (IN)SECURE Issue 8) that is separated from the administration of the data that it protects. This service may run in different environments including in a separate process, a separate server or in a Hardware Security Module depending on the security class of the data and the operational requirements for performance and availability.