Many organizations struggle with cryptographic key management for multiple reasons. However, these pain points can be resolved with the right tools.
Based on the 2020 Global Encryption Trends Study, the Ponemon Institute and nCipher Security derived eight common pain points that many organizations run into with managing cryptographic keys. This article gives a summary of these 8 pain points and proposes recommendations and tools to resolve them.
1. Key Ownership is Unclear
Not knowing who has access to a key is the most common pain point with managing cryptographic keys. As a general principle a key should be made available to the smallest number of people or processes, as is consistent with delivering a reliable and available service.
2. Lack of Skilled Personnel
Key management is a specialist domain, often organisations are rate-limited by acquiring and retaining trustworthy staff with the appropriate knowledge and expertise.
3. Isolated and Fragmented Systems
Isolated and siloed systems will frequently evolve their own independent Key Management solutions. This behavior compounds the challenges of key management and multiplies risk. By centralizing key management (analogous to physical keys on a key-ring) this risk can be reduced.
4. Inadequate Key Management Tools
Often cryptographic systems will have their own basic tools for local key-management. While functional these may lack enterprise-grade logical or physical protection of key material and offer only ‘local’ storage of keys - putting them at risk from accidental or malicious loss or theft.
5. Lack of Resources
Implementing a new system to manage cryptographic keys can be challenging even when an organization has the ambition and resources to do so.
In addition to the issue of qualified staff (point 2.) a key-management project can struggle to get the budget of $ and hours for a successful implementation.
6. Not Understanding Requirements
An organisation can appreciate that it has problems and risks in the domain of key management, but this mere understanding is not enough to build a successful project on. A thorough understanding of the scope of the project, including the prioritization of use-cases are necessary foundations to engage with vendors and select a solution.
7. New Technology and Standards
The cryptographic landscape is continually evolving; the state of the art with respect to algorithms and key-lengths changes in response to academic research, attack vectors and core technology. A key-management strategy should ideally anticipate the inevitable changes that will be required by keeping abreast of research and standardization initiatives.
8. Unreliable and Error-Prone Manual Processes
Most data security breaches that businesses experience are a result of human error. The use of manual processes versus automatic processes increases the risk of innocent human mistakes and deliberate malicious actions.
Choosing centralized, automated and banking-grade Key Management
Modern infrastructure of international players, financial institutions and even government organizations is often distributed across a hybrid cloud. It includes local data centers, and often public and private cloud architectures, providing computing or storage environments as well as external software services.
With such a broad scope of environments to consider, here is an overview on how centralized and automated key management solutions can help an organization to reassert control over the critical key management operations and help address many of the pain points listed above:
- Centralizing key management integrates decentralized architectures into one centrally controlled and auditable security system. Apart from regaining control and ownership of the keys, it allows the company to be flexible and to rapidly act in favor of strategic changes or market requirements.
- The higher the level of automation in the process of key management is, the less resources are required to manage it and keep data and processes safe. Professional key management systems should be based on clear and uncomplicated procedures to manage keys and to aggregate audit data in compliance with the company’s regulatory requirements. High automation and proven technology in key management will reduce the share of manual intervention to a minimum. A KMS must also be flexible enough to support a broad range of hardware and software integrations to enable better resource utilization.
- Key management, to be adequate for a high level of corporate security, should be designed around high quality key management software and hardware, complying to security standards like FIPS 140-2 /-3 and PCI-DSS. A Key Management System (KMS) provider shall be able to demonstrate that compliance with required regulations and standards will be assured with the offered solution. Security requirements are well defined in each industry or service segment and area of jurisdiction. Implementing Hardware Security Modules (HSMs) as part of a centralized KMS solution is the best choice for resolving the security-specific pain points of managing keys, as they provide both physical and logical protection for cryptographic keys.
- With regard to the advent of Post Quantum Computing (PQC), centralized key management solutions will provide a higher level of crypto-agility, allowing the adoption of quantum resistant algorithms with less effort.
A key management solution could also come in the form of a centralized cryptographic platform, which acts as a control center for cryptographic services and crypto policy management, to further reduce costs and effort, while increasing the level of crypto-agility to support changes in technology and standards. - Technologies are rapidly evolving, currently driven by a strong trend to service-oriented and cloud-based business models and platforms. The key management providing company needs to show that it was able to withstand changes during time. In relation to the cloud and BYOK (Bring Your Own Key) - professional key management systems should enable companies to own, and manage the lifecycles of cryptographic keys no matter where the data is. In consequence, they will keep a strong level of control over data security and retain ownership of the data - meaning freedom to change host environments, whenever needed.
Mitigating risks with a centralized KMS
There is a lot at stake if a single cryptographic key becomes compromised, as this means that all the corporate security and data that is protected by that key may also be compromised. Apart from immediate financial damage and remediation costs of a data security breach, corporate loss of reputation and trust may, in the long term, be even more significant.
The only effective way to mitigate the risks posed by poorly managed keys is to use a dedicated and centralized KMS, ideally a proven solution from a reputable provider with good customer references. Any such KMS should utilize an HSM to generate and protect keys, and to underpin the security of the whole system. If well-designed, such a system will offer the following benefits:
- Full lifecycle management of keys (on-prem and in the cloud)
- Generation of strong keys using a FIPS-certified RNG and hardware entropy source
- Protection of keys using a tamper-resistant HSM
- Strict policy-based controls to prevent the misuse/reuse of keys
- Automatic key rotation
- Automatic secure key distribution
- The ability to securely import/export keys in components or under a transport key
- The ability to securely destroy keys at the end of their lifecycle
- Strong user authentication, segregation of duties, and dual control over critical operations
- Intuitive user interface and secure workflow management to minimize the risk of human error
- Support for high-availability and business continuity
- Tamper-evident audit log, usage log and key histories for demonstrating compliance
- Ability to respond quickly to any detected compromise
Not only will such a system help protect your keys, it will also boost efficiency, reduce reliance on highly-skilled personnel, and simplify achieving, maintaining and demonstrating compliance with a multitude of standards and regulations such as PCI-DSS.
Closing thoughts
Increasingly, security architecture and corporate business models are interwoven. Orchestration of cryptography underpins every modern business process. The monetary and reputational value of all data and processes protected by crypto (and the cryptographic keys) might even exceed that of the organisation itself.
Cryptography is becoming the enabler of a flexible and customer-oriented corporate evolution. Getting the common crypto pain points under control and turning them into a strength rather than a burden will pay off in the short and long term.
References and Further Reading
- More articles about the findings on the 2020 Global Encryption Trends Study (Ponemon Institute) (2020), by the Stefan Hansen, Ulrich Scholten, Ed Wood and more
- More articles about Crypto Architectures for Financial Service Platforms and Banks (2016 - today), by Jo Lintzen, Stefan Hansen, Ulrich Scholten and more
- Banking-as-a-Service - what you need to know (2016), by Dr. Ulrich Scholten at VentureSkies S.a.r.l.