Protecting data is important, but if a key is lost, access to all of the data originally encrypted by that key is also lost. To put it bluntly, encryption without competent key management is effectively electronic data shredding. Just as with house keys, office keys or car keys, great care must be taken to keep back-ups and special thought needs to be given to who has access to keys. Establishing a key management policy and creating an infrastructure to enforce it is therefore an important component of a successful enterprise security deployment.
Key management brings encryption under control
Key management can’t just be an after thought, it is the process by which encryption and cryptography become effective security and business tools. Key management is about bringing encryption processes under control, both from a security and a cost perspective. Keys must be created according to the correct process, backed up in case of disaster, delivered to the systems that need them, on time and ideally automatically, under the control of the appropriate people and, finally, deleted at the end of their life-span. In addition to the logistics of handling keys securely, which are secrets after all, it is also critical to set and enforce policies that define the use of keys – the who, when, where and why of data access.
Archiving, recovery and delivery of keys are all crucial parts of the equation. For instance, if a laptop breaks down or a back-up tape is stolen the issue is not just one of security, but also business continuity. Information recovery takes on a whole new dimension, particularly in an emergency situation when the recovery process is performed in a different location, by a different team, governed by different policies and on protected data that is years or even decades old. What used to be a data management problem is now also a serious key management problem.
Enterprise key management recommendations
Traditionally key management has been tied to the specific applications in use and therefore quickly becomes fragmented and ad hoc as the number of applications increases. Scalability quickly becomes an issue as a result of relying on manual processes for renewing certificates, rolling-over keys or moving and replicating keys across multiple host machines and removing keys as machines and storage media are retired, fail or redeployed. This frequently results in escalating costs particularly in situations where security and audit ability are high priorities.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.