Overcoming the Challenges of Enterprise Key Management
Let’s face it: Encryption key management can seem daunting. Sure, it’s easy to connect a hardware security module (HSM) to a database and generate a key, but that’s not how it works in the real world, where mission-critical cryptography is needed and required. Let’s talk pain points and dispel some of the myths. There are seven questions organizations need to ask themselves about how they want to handle key management:
- How are keys stored? Within an HSM itself? Wrapped using a key that was generated in an HSM?
- How are keys indexed? How are they organized so you know what you have?
- How is the life cycle maintained?
- How will you handle key rotation? Are there compliance requirements that dictate how frequently you must rotate those encryption keys?
- How are audits performed on key material?
- What is your ability to enact crypto-agility concepts?
- What about key usage and export ability? How will you share keys with different organizations?
These issues are what can make key management a critical—and sometimes daunting—element in your cryptographic architecture. If we look at how enterprises are approaching this today, think of it as a maturity level continuum. At one end, you have no key management model and at the other end, you have a centrally-managed key management infrastructure that is hardware-based—with several stages in between.
Needless to say, many organizations are somewhere in the middle (where they might be good, but not great). These organizations may have good technology and good security, but maybe they are limited by their key management tool or platform that may not align with their overall goals. Some organizations need to be “secure enough” to meet their compliance or internal requirements—and they may be fine with a manual key management process. Some organizations need a more mature solution that includes life cycle management, robust audit logs and tracking rotation policies for more functionality and manageability. Most enterprises’ goal is to have a centrally-managed key management infrastructure, with enterprise-wide support for all use cases, policy enforcement around access to keys, automated key life cycle support, CI/CD and application deployment integration.
How mature is your approach to key management? If it’s not where you want it to be, don’t fret. Over time, you can increase your organization’s maturity to better align with your organization’s overall risk posture and need for scalability and growth.
As organizations get larger and as their IT environments get more complex, they likely have a hardware-backed, centrally managed key management infrastructure; one that is distributed across multiple sites, with full high availability. Many organizations are turning toward a more unified key management environment where both the key management application and functionality are natively paired together with the HSM without putting the burden of integration on the end user.
4 Common Enterprise Key Management Myths Dispelled</h2
Myth: It all has to be done at once. Not so. Key management doesn’t need to be deployed in a dozen different areas inside the organization for it to be successful. A good practice is to take stock of what you have, figure out what use cases are going to be the most important for your organization and start with those.
Myth: It has to be difficult. Often, organizations overthink key management. It doesn’t tend to be easy, but it doesn’t necessarily have to be super difficult. For example, many organizations try to develop their own internal management tool, but then realize that the remainder of the architecture, automation, workflow, approval, cycle and other items are going to take nine months to do.
Myth: Go big or go home. A good key management solution should be one that’s able to scale alongside your organization—and grow over time—without requiring you to go in and completely re-engineer or repurchase a whole bunch of stuff.
Myth: I have to do it all myself. No, you don’t. Don’t reinvent the wheel. Find the right support, whether it’s with a solid vendor that can help you make some tricky decisions or with a consulting firm that specializes in key management deployment.
Integration and interoperability can be challenging in any IT and cybersecurity scenario. Everyone knows that it’s not always easy to swap out one tool for another and expect everything to just work, especially when dealing with different vendors. A best practice is to integrate the HSM and the key management application together, if possible. With enterprise key management homework and a little research, organizations may well overcome the challenges of enterprise key management—before the wave of quantum computing is upon us!
