Encryption key management is a necessary component of effective data protection.
Strong data encryption generally is considered one of the more effective ways of protecting confidential data, be it stored locally or in the cloud. But strong encryption brings with it one of the most important aspects of data security: encryption key management. There is no one-size-fits-all answer to the key management conundrum; companies need to identify and implement a plan that meets not only security requirements, but also the security maturity profile of the company and the capabilities of its staff.
What to Look for in Key Management Solutions
One can compare the encryption security key to the combination safe with one major difference. Unlike a traditional safe with a preset combination, encryption keys can be changed -- both in content and in length. An effective key management program not only can generate and protect an existing key, but it also must be able to manage the distribution of keys and their destruction.
The National Institute of Standards and Technology (NIST) developed recommendations in 2012 for key management that goes into great detail on the technology, algorithms and implementation (the recommendations can be downloaded here). NIST also offers detailed information on its site about the Cryptographic Key Management Project.
Recent, well-publicized data breaches of large and small organizations where unencrypted confidential data was lost or stolen demonstrate the need for encryption for companies of all sizes. It does not matter if the loss is from stolen laptops, lost thumb drives, or from malware that gave attackers access to corporate data; unencrypted, personally identifiable data or confidential corporate data is the attackers' mother lode. For that reason, data should be encrypted not only in transit, but at rest as well.
One major challenge of encryption key management is standards, according to a report entitled Enterprise Encryption and Key Management Strategy from the Enterprise Strategy Group (ESG). Organizations that are embracing the Key Management Interoperability Protocol (KMIP) are finding it "immature," the report says, and not the answer the industry is seeking. That said, ESG identified 11 distinct technologies that companies are using today to protect their networks.
"Ad hoc encryption tools are often deployed in a manner where functional IT groups have access to encryption keys," the report states. "This ignores a key information security principle: separation of duties. Obviously, this could expose encryption keys to numerous IT staff members and thus greatly increase the risk of an insider attack."
Top 3 Encryption Key Management Questions
Protecting the encryption keys is as crucial as the data they protect. Among the questions the Chief Risk Officer (CRO) or Chief Information Security Officer (CISO) needs to address are:
- How are the encryption keys generated, changed, destroyed?
- How and where are they stored?
- How are the keys protected?
Levels of Data Encryption
Data encryption can be done at multiple levels: database field, file, application, as well as full disk. Multiple levels of encryption can be used to protect mission-critical or compliance-protected data; this essentially is the philosophy of defense in depth.
The closer the encryption is to the data, the stronger it is, experts agree. This is also true for encryption keys. An important consideration in selecting an encryption key management product is to ensure that keys, when generated, are constantly protected so that the master key is secure from a breach. One-time-use keys limit the exposure of data to theft the same way one-time-use credit card numbers limit the chance of funds being stolen.
Encryption Key Management Options
Some cloud providers offer encryption as a feature, but here again one faces the same problem of separation of duties. If a company plans to use its provider's service to manage encryption keys, it is essential to do your due diligence to ensure the vendor's environment is safe and meets or exceeds the client's own risk profile. Also, companies cannot outsource the responsibility of security; if a breach occurs, it still is the owner of the data that is responsible to those whom are impacted by the breach.
Porticor, a cloud security vendor, takes the approach of having the owner of the data hold on to what it calls the Master Key, which is never stored in the user’s cloud account or on the Porticor Key Management Service. When the user creates a new project, the Master Key is created and stored on the corporate site. When data is being encrypted, a new key is created that is a combination of the Master Key and a unique random key created by the Porticor appliance and stored on the Porticor’s web-based Key Management service.
The company likens its approach to a bank safe deposit box where the owner has one key and the bank the other. Even if the Master Key is hacked or stolen, the company says, the attacker would not be able to access private data. The company calls this technology homomorphic key encryption.
KeyNexus, another cloud-based key management system but this company uses a different approach. Rather than having the data owner manage the Master Key, the KeyNexus approach, designed to work with SafeNet Luna hardware security modules that are hosted by Amazon Web Services, maintains a secure, offsite storage location for the encryption keys. This approach allows the user to create encryption keys only when access to the key is needed. Once the key is used, it is deleted and not stored on the AWS servers, the company says.
Generally speaking for on-premises encryption, it is common that the keys will be stored in the same physical datacenter as the data. However, best practices for security indicate that the keys should be stored not only on a separate physical server as the data, but also on a different segment of the network behind additional layers of security. Keeping the keys separate from the data is an essential part of key management.
Cisco System, for example, offers an on-premises email gateway, IronPort Email Security Appliance, that intercepts an encrypted email after it enters the corporate network. The key from the message is sent to the Cisco Registered Envelope Service, where the incoming key is converted into a new key that is sent to the recipient. When the encrypted email arrives, it is unlocked with the new key from the security appliance and permits the recipient to unlock and read the encrypted mail. While this is an example of a corporate on-premises email offering, similar systems optimized for specific applications are available for customer resource management (CRM), databases, payment processing systems and many more applications.
Software and hardware data encryption products today usually are based on the industry standard data encryption algorithms such as AES (Advanced Encryption Standard), DES (Data Encryption Standard) and TDES (Triple DES) that are certified by NIST (National Institute of Standards and Technology) in the United States and CSE (Communications Security Establishment) in Canada. It is likely that companies could end up supporting multiple encryption standards, especially if the company is involved in mergers and acquisitions. In fact, some experts believe it is desirable to use multiple encryption technologies so that the level of encryption matches the level of security needed for a given piece of data.