The need for mitigating risk with an appropriate key management system (KMS) is critical to the success of any organization that shares sensitive data across networks.
Here is a breakdown of two common types of KMSs and how risk mitigation can be successfully accomplished.
Distributed versus Centralized
At a high level, two common types of cryptographic key management systems are typically referred to as centralized and distributed. As their names imply, the primary difference is the logical location of the key management system
In the early days of using cryptography to protect online applications, e.g. for eBanking and eCommerce, nearly all key management systems were distributed. This meant that KMS related hardware, software, and processes existed at multiple locations. In this scenario, organizations would employ dedicated teams of people to travel to these different sites to update keys, manage key lifecycle events, and apply security policies. This process allowed organizations to meet the needs of each of its individual locations and deploy multiple encryption solutions across platforms.
As the use of crypto keys continued to rapidly expand, the need to create a centralized approach to key management began to appear. Centralized key management brings all facets of crypto key management, including hardware, software, and processes into one physical and logical location. Key concepts such as lifecycle management, auditing, and security could all be handled homogeneously from one centralized source.
While both approaches have proven to be effective, stark differences begin to appear when you delve deeper in to risk mitigation for costing, security and auditing purposes. Let’s dive deeper into some of the challenges associated with these types of KMSs.
Scalability and Efficiency
The use and volume of encryption keys is exploding in the digital age. As a result, companies are scrambling to meet this trend while maintaining secure control of their systems and data. The original forms of distributed KMSs quickly began to struggle to keep up with demand. The effort to keep synchronicity across multiple sites and the manpower required to maintain it quickly became unsustainable, not to mention the management of different encryption solutions across platforms.
Centralized key management can solve many of these issues. The core hardware and software exist in one location making the process of managing it simpler. Also, as new locations are added, they are integrated into the existing KMS instead of building out new infrastructure at the new site. There are inherent savings in terms of both implementation and maintenance costs.
Auditing and Security
Another key challenge with a KMS, is maintaining consistent security and compliance protocols across locations. Distributed systems handle this by taking the core policies and deploying them at each site. This method works as long as the deployment is consistent across locations. Additional audit steps must take place to ensure that is the case. Also, for each change in security and compliance, all sites will need to be updated individually. Follow up audit procedures will be required to ensure rollout was consistent across locations.
Centralized key management simplifies this process. The core security framework is handled at the centralized location. As new locations are added, they inherit the structure of the core. As security patches and policy updates are rolled out at the centralized location, they are automatically updated at remote sites.
This not only improves security operations but it also simplifies the approach to auditing and remediation. If the centralized site is in compliance then all remote sites should be as well.
Risk mitigation, in terms of cost, security and compliance are all simplified through centralized key management.
References and Further Reading
-
NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker
-
Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
-
CKMS Product Sheet (2016), by Cryptomathic