Data breaches are at an all-time high with 2019 looking to one of the worst on record for data loses. Within the data security battle, encryption is considered to be the gold standard that provides protection through the whole data lifecycle. With that said, picking and implementing the right encryption solution for your organization comes with many challenges. One of the biggest hurdles in implementing robust encryption is encryption key management.
Encryption keys, like the data they protect, have a lifecycle. This includes:
- Storage and protection (of both existing and expired keys)
- Replacement and destruction
Key management is crucial to ensuring the overall security of the encryption system the keys are an intrinsic part of, that’s why, in late 2018, the National Institute of Standards and Technology (NIST) released a paper defining recommendations on encryption key management. This paper was developed using input from industry experts across many sectors. Below, I have referred to some of the values mentioned in the paper and incorporated my own recommendations.
These are the five factors I believe should be considered when choosing a Key Management solution:
Factor 1: Key Storage
Secrets aren’t meant to be shared and encryption keys are your most valuable secret. That is why you need to ensure you are well aware of where your encryption keys are stored and who could potentially access them. For example, if the solution in question requires encryption keys to be available to the cloud infrastructure (a common requirement when encrypted data needs to be processed) they should not be considered secure.
Factor 2: Key rotation and destruction
Standards such as the Payment Card Industry Data Security Standard (PCI DSS) require key rotation. Key rotation is where a new key is generated periodically and set as the primary key. This primary key is then used to encrypt the data, with a new, different encryption logic than the previous one.
Since new primary keys can’t decrypt data that was encrypted by their successor, older versions of a key should still be available to make sure data has been encrypted with the new key, and old data is still readable – but will not be used for encryption. Question is – if and how are these records kept when keys rotate?
Factor 3: Key generation granularity
A zero trust approach to key management ensures the keys are kept within a secure environment that is divided at the highest possible level. Ideally, a KMS should allow for granular access control – meaning that it enables to manage access at lowest hierarchy level within the department/role/user/device scope.
Another important question to ask is, will the KMS allow access control at the data, user or application level? The last two introduce potential vulnerabilities that will need to be addressed, therefore the data and device levels will be the preferred choice.
Factor 4: Automation
Many of the lifecycle events of a key can be automated to prevent mistakes occurring. In addition, manual key management takes up a lot of time – imagine manually creating a key for any new recruitment in a fast-paced enterprise-level company. That is, basically, impossible. A KMS should offer some automation for repetitive tasks. However, the automation options within a KMS should also be flexible enough to be easily modified if conditions change.
Factor 5: Easy to use interface
A poorly designed user interface (UI) can have serious implications for security. Accidents in configuration or misuse of a feature, such as key rotation settings, can compound security problems. Even if the KMS has all the necessary features, if they are expressed poorly, they may be not used correctly.
The SEC of KMS evaluation
Key management is a vital part of ensuring that the encryption you implement across a data lifecycle, works securely. You should follow the three rules of evaluation, SEC, when looking for the right KMS for your organization:
- Security – Ensure encryption keys are never at risk of exposure outside an organization’s domain.
- Ease of use – The KMS should have an intuitive interface and offer a high level of automation, eliminating management overhead.
- Control – Access management should be highly granular on a per device basis at the data level.