One of the most important aspects of cybersecurity is practicing proper encryption management. Encrypting data at rest and while in transmission is crucial to maintaining confidentiality of all confidential data, but encrypting the data alone isn’t enough if you don’t adequately safeguard the keys to the kingdom. Improper encryption management may allow adversaries access to your organization’s data encryption keys, jeopardizing all encryption controls that are protecting your data. Anyone with access to the true data encryption key and the cyphertext can decrypt and access the protected data, which is catastrophic for any business that handles sensitive information. Encryption management is a difficult proposition because it requires significant coordination in encryption key generation, exchange, storage, use, and decommissioning with strict logical and physical controls in place to protect the management platform.
Key Management Platforms
Broadly speaking, there are a few ways to implement a key management platform; a dedicated hardware security module (HSM), a virtual HSM, or a cloud-based platform provided as a service by the likes of Amazon AWS and Microsoft Azure. Theoretically, all these function similarly in their duties to provide encryption key generation, exchange, storage, use, and decommissioning; they just vary in their implementation. A physical HSM may be a dedicated device with the sole task of managing encryption key operations, whereas a virtual HSM can be deployed much more rapidly on pre-existing hardware and affords much greater freedom in implementation. However, both solutions have the typical drawbacks of physical and locally virtualized tools; you are responsible for the maintenance, overhead, and proper configuration of the services. Whereas with cloud key management platforms, much of that complexity is abstracted from the user and organization. Which solution works best for your organization will vary based on your specific needs, with each option having its advantages and disadvantages.
How we protect our Encryption Keys
So how do we protect our encryption management platforms? Regardless of how you deploy your key management platform, you must protect it to the best of your abilities. After all, if the security surrounding your encryption keys is the only thing that stands between an adversary and complete access to all of your organizations’ encrypted data, it better be an immensely strong barrier. With any of the aforementioned key management platform configurations, you must establish tight physical and logical security controls to prevent compromise. Essential controls such as restricting access to only the most trusted users, maintaining separation of duties, encrypting your data encryption keys with a FIPS validated algorithm, keeping up with system patching, and maintaining complete encrypted backups are only the beginning of the controls that should be protecting your encryption management platform. A key resource in this process is NIST Special Publication 800-57 Part 2 – Recommendation of Key Management, which has detailed information on how you should best handle your key management program.
It Isn’t Glamorous, But It’s Important
Encryption key management is not the most glamorous aspect of the cybersecurity field, but it may be one of the most critical. Without encryption and without proper management of those encryption keys, it becomes impossible to guarantee the sanctity or confidentiality of our most critical data. Poor planning or implementation of the storage and use of your organizations’ encryption keys could be disastrous for the confidentiality, integrity, and availability of critical business data. At the end of the day, NIST puts it best in Special Publication 800-57, “Trust in the source of these keys is essential to any confidence in the cryptographic mechanisms being employed. Access to the private or secret keys by entities that are not intended to use them invalidates any assumptions regarding the confidentiality or integrity of information believed to be protected by the associated cryptographic mechanisms.”
