From centralization to automation, here’s your 12-step guide to being more proactive with your enterprise’s encryption key management
“What’s the first thing I need to protect data stored on our server?” If you ask this question of anyone involved in data security, there’d be a one-word answer on the lips of all: “Encryption.” That’s because it’s perhaps the only way anyone who’s collecting sensitive data can secure it.
Thanks to high-profile data losses and regulatory compliance standards, the use of encryption is on the rise across enterprises of all statures. A single enterprise can deploy encryption on many different levels and channels, including to secure websites, email communications, user and organizational data, etc. As a result, this means that a medium to large level enterprise could be dealing with potentially thousands of encryption keys at any given time.
Frankly, that’s a lot for any one person (or even a team) to handle. The security of each key is important, and that’s why there must be proper enterprise encryption key management policies in place.
In this article, we’ll talk about different industry encryption key management standards. After that, we’ll cover the 11 best practices for managing encryption keys within your organizations.
Let’s hash it out.
Why Does Strong Encryption Key Management Matter?
As you know, encryption is the process of scrambling the data so that only the intended party/organization can access it. This process is done through the use of security tools known as encryption keys or cryptographic keys. Each key consists of a randomly generated string of bits that are used to encrypt (and/or decrypt) data. So, if you consider encryption as locking down your data, encryption keys are an integral part of that process.
The National Institute of Standards and Technology (NIST) put it best in its Special Publication 800-57 part 1, rev. 5:
“Cryptographic keys play an important part in the operation of cryptography. These keys are analogous to the combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration. The proper management of cryptographic keys is essential to the effective use of cryptography for security. Poor key management may easily compromise strong algorithms.”
If your encryption keys get compromised, you’ll find yourself in hot water. That’s because someone could use those keys to:
- Create phishing websites impersonating your original website;
- Pass through your corporate networks by impersonating you or your employees;
- Sign applications or documents in your name;
- Extract/tamper with the data stored on the server; and/or
- Read your encrypted emails and do any number of nefarious things.
If a cyber perpetrator has your keys, they can do any — or all — of that to their benefit and your detriment. They can use your keys to make money by asking for ransom, sell your data to your competitors, go share them on public platforms and ruin your reputation.
No organization wants any of that to happen. That’s why encryption key management should be one of your top priorities as far as data security and privacy is concerned.
The Advantages of Implementing Encryption Key Management Tools and Strategies
Having visibility of any certificates and keys that exist within your systems is an integral part of effective data security. But apart from the security, other undeniable advantages of robust encryption key management include:
- More efficient key distribution/mobility.
- Greater visibility and control of keys for effective key management.
- Less back and forth between your employees, customers, and IT department.
- Reducing costs due to automation.
- Mitigating downtime and related noncompliance penalties.
- Reducing data loss.
So, What Is Encryption Key Management?
Many people have a misconception when it comes to the term “encryption key management” as they think of it as equal to storing encryption keys securely. It might be partly true as secure saving of encryption keys is a part of encryption key management, but not the whole of it. Encryption key management involves all tasks and methods involved with encryption keys — starting from key generation to its destruction.
Encryption key management encompasses:
- Developing and implementing a variety of policies, systems, and standards that govern the key management process.
- Performing necessary key functions such as key generation, pre-activation, activation, expiration, post-activation, escrow, and destruction.
- Securing physical and virtual access to the key servers.
- Limiting user/role access to the encryption keys.
Do I Need to Protect My Encryption Keys?
In a word? Yes. Securely storing your encryption keys through strong encryption management processes is paramount. As stated in NIST SP 800-57 part 1, rev. 5:
“Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of cryptographic mechanisms and protocols associated with the keys, and the protection provided to the keys. Secret and private keys need to be protected against unauthorized disclosure, and all keys need to be protected against modification.”
The strength of an encryption method might be determined by mathematical algorithms it applies. However, this isn’t a huge matter of concern, as most encryption methods come with the latest security algorithms. However, the more significant issue of concern is how cryptographic keys are stored and managed.
I just don’t get it when people ask whether they need to put efforts into securing and managing their private keys. I have a straightforward question to anyone who asks that question: “Would you hide your house key under the doormat if you knew criminals wanted to break in?” The thing about data encryption is that it’ll be of no use if you lose your encryption key. So, if you manage/store sensitive data, you need encryption, and therefore, you need to protect your encryption keys. It’s as simple as that!
Before You Think of Encrypting Your Data…
I have tip that’s going to make your job a whole lot easier: Not everything needs to be encrypted. So, figure out which data you actually need to encrypt because it’s sensitive and you need to store or transmit it. Then, only encrypt the data you truly need and securely dispose of the rest.
Requirements of Enterprise Encryption Key Management
Encryption is necessary, and so are the encryption keys. But the requirement of a reliable enterprise key management system isn’t just about protecting the keys; it’s much more than that. Here are four basic encryption key management requirements to consider before designing an action plan:
1. Security: You must ensure the protection of your encryption keys at all costs. The threats are not just from the outside, but they could also be from the inside. Your security mechanism should be prepared to handle that.
2. Scalability: The amount of data that an enterprise has typically only moves in one direction — upwards. Therefore, your encryption key management system must be prepared to manage encryption keys effectively as amount of available information grows.
3. Access: Encryption keys exist to encrypt the data and, therefore, you must ensure that the keys are granted access in a smooth manner to appropriate users.
4. Compliance: The encryption key management ecosystem in your organizations must be built on solid foundations of appropriate policies and standards. You must ensure that you comply with the National Institute of Standards and Technology’s Recommendation for Key Management (SP 800-57 Part 1) that we mentioned earlier.
Enterprise Encryption Key Management Best Practices
Now, here comes the part you’ve been waiting for — our list of the top dozen key management best practices for your enterprise. Instead of going by a set standard or system, we’ve tried to cherry-pick the best practices you could implement for better key management inside your organization. Let’s get started!
1. Centralize Your Encryption Key Management Systems
These days, many companies use hundreds or even thousands of encryption keys. According to a 2020 report by KeyFactor and the Ponemon Institute, “60% of respondents believe they have more than 10,000 certificates in use across their organization.” The secure storage of these keys becomes tricky as you need to get immediate access on many occasions. That’s where centralized storing of encryption keys comes into play.
Ideally, companies should adopt centralized, in-house enterprise key management services. However, this may not always be possible for all organizations as they might not have the sophisticated technical capabilities to do so. Such companies can benefit greatly by using third-party encryption key management services. These services securely store all encryption keys and digital certificates in a safe key vault, away from the data and systems that have been encrypted. This is advantageous from the security viewpoint as the keys remain protected even if the data somehow gets compromised. As the encryption keys are kept centrally, it minimizes the number of places where keys could get exposed to attackers.
The centralized approach is undoubtedly beneficial in terms of security, but it also improves performance as encryption-decryption processes happen locally where the data is stored. At the same time, the generation, secure storage, rotation, export, and retirement of keys is done by the key manager, which is not at the location of the data.
Manage Digital Certificates like a Boss
14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant.
2. Use Automation to Your Advantage
Automation isn’t just for digital certificate management. One of the smartest approaches to encryption key management is using automation for the purpose of generating key pairs, renewing keys and rotating keys at set intervals. Relying solely on manual key management is not just time consuming, it’s also an expensive process that often leads to mistakes — particularly at scale for enterprises and other large organizations.
3. Centralize User Roles & Access
Some organizations might be using thousands of encryption keys, but not all employees need to have access to all of those keys. Therefore, encryption key access should only be given to those whose jobs require it. You should define these roles in the centralized key manager so that only the authenticated users will be given credentials to get access to the encrypted data which are associated with that particular user profile.
Furthermore, make sure that no single user or administrator has sole access to the key. This is to have a backup mechanism in case a user loses his credentials or leaves the company unexpectedly.
4. Support Multiple Encryption Standards
Every organization that encrypts and/or stores the data must choose a particular encryption standard for the processes of encryption and decryption. However, that doesn’t mean that other standards won’t be of any use. In the case of mergers, acquisitions or partnerships, you might need to work with organizations that require support for different cryptographic standards, such as AES, RSA, etc. That’s why the security solution that you select must support multiple encryption standards.
5. Implement Robust Logging & Auditing
When you’re dealing with tons of data and are juggling a massive number of encryption keys, you can’t keep your eye on every key and user. So, although you’ll be storing keys at a central location, there must be logging and auditing to support the democratization of those keys.
Supporting this democratization is necessary to ensure that there’s a smooth encryption key management system in place. However, it doesn’t mean that you can’t do anything about it. You can (and you must) keep extensive automatic logging of all the activities performed by users. This should include details of access to sensitive data, user, encryption resource used, data accessed, time, etc. These logs will help you immensely in case the event that something goes wrong.
6. Create an Encryption Key Management Policy for Employees
By assigning user roles and their encryption key access, you’re limiting the places of exposure. However, that’s only half of the work done as the people who’re going to be accessing the keys must have a set of instructions/policies to guide them about what to do and what not. These policies must be implemented as strongly as an agreement so that one thinks every decision carefully. It’s also in your best interest to set up a separate training session to communicate each point with great emphasis.
7. Implement the Principle of Least Privilege
Organizations should avoid assigning administrative privileges to applications as much as possible, as this makes apps extremely vulnerable to internal as well as external threats. Instead, what they should do is giving access based on the user role. This is called the “principal of the least privilege,” or POLP for short. This way, the access is limited and so is the potential damage.
8. Integrate with Third-Party Devices
Every organization is going to use external devices – whether in large numbers or small. These devices are spread across the network to perform particular functions using proprietary tools. Typically, they don’t have database-oriented applications and, therefore, don’t interact with the databases. Therefore, to facilitate the features of these tools, the encryption mechanism that you deploy must be compatible to work with these third-party tools or applications.
9. Back Up Your Encryption Keys
If you lose an encryption key, then it’s most likely that you won’t be able to recover data encrypted using it. Thus, it’s quite essential that you have effective key backup capabilities in place. While backing up the data, you must ensure that it’s been encrypted using the most advanced encryption standards. Moreover, you must also ensure regular deletion of the expired keys.
10. Protection of the Key Manager & Recovery of Deleted Keys
The keys that you’ve stored in a centralized key manager are your treasure, and you must protect them at all costs. Therefore, you must implement robust security mechanisms to ensure that your keys remain protected against various kinds of threats and attacks. But what if one of the threats you’re facing is your own mistake?
This is why it’s critical that you have a provision for encryption key recovery. The loss of the encryption key results in the loss of data. Therefore, regardless of whether a malicious actor deletes a key or you delete it by mistake, there should be a provision to recover any deleted keys.
11. Be Prepared to Handle Accidents
No matter how many policies you implement or mechanisms you apply, things will go wrong at some point. And your organization must be prepared to handle them. For example:
- A user could lose credentials to their key,
- An employee could leave (or get fired) from the company.
- Keys could be compromised.
- Encryption algorithms could be flawed.
- You could accidentally publish your private keys on GitHub.
Such accidents could happen, and you should identify all possibilities before they actually occur and take precautionary measures. There should be continuous auditing of the security infrastructure to minimize such incidents.
12. Rotate Your Keys: No Decryption/Re-Encryption
One of the big questions that arise in organizations dealing with large databases is the expiration/change of the encryption keys. To tackle this issue, we recommend assigning a key profile to each encrypted data field or file. This way, this key profile will allow you to identify the encryption resources that must be used to decrypt the database. Therefore, it’s not compulsory to decrypt and then re-encrypt data when keys change or expire.
Whenever the key expires or gets replaced, the key profile will ensure that the new key is used to encrypt the data. For the data that already exists, the key profile will identify the original key.
Final Word on Encryption Key Management
From afar, enterprise key management might seem like eating an elephant. However, it doesn’t have to be that complex (or exhausting). If you’re able to create strong policies, enable robust access control, and implement centralized management, robust encryption key management can be made possible in even the most complex of environments.
After all, your organization, employees and customers deserve the efficiency, security and privacy that strong enterprise key management offers.
*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Jay Thakkar. Read the original post at: https://www.thesslstore.com/blog/12-enterprise-encryption-key-management-best-practices/