In recent years, high-profile data breaches and identity thefts have grabbed countless headlines. The media coverage suggests it's an emerging problem, but unfortunately these cybercrimes and their frequency are nothing new. Instead, what's changed are the new laws, such as California law SB 1386, requiring organizations to notify individuals when unencrypted personal information has been—or at least is reasonably believed to have been—acquired by an unauthorized entity.
Driven by these laws and their safe-harbor protections, along with regulatory bodies such as the Payment Card Industry Data Security Standard (PCI-DSS), HIPAA (Health Insurance Portability and Accountability Act) and Sarbanes-Oxley (SOX), enterprises are rapidly adopting encryption to protect their customer data, trade secrets and intellectual property. As encryption becomes more widely adopted, organizations are also experiencing an increasing concern about the management of a growing set of encryption keys. Effective management of these keys is essential to ensure both the availability and security of encrypted information.
Two distinct systems can be leveraged to manage keys: enterprise key management (EKM) and integrated key management. The idea of EKM has emerged as an apparent panacea for addressing this management complexity. An EKM provides centralized management, including key generation, backup and recovery, to ensure data can always be recovered. It also provides the ability to manage and change keys throughout their life cycle.
Integrated key management, on the other hand, is the built-in key management system of a specific encryption solution (for example, a database encryption solution). An integrated key management system actively controls the methods by which keys are stored and accessed by an encryption solution.
EKM integrates passively with encryption solutions and their integrated key systems, meaning that the EKM cannot effect how the encryption solution's integrated key management system locally stores or controls access to keys and data. This creates a two-level management approach that has two different control points to ensure the security of keys.
To gain a grasp on this issue, understanding the integrated key management requirements of different encryption solutions is critical.
- Disk encryption: Effective integrated key management for disk encryption requires an ability to provide automatic password recovery for access to keys. Without access control to data, full-disk encryption addresses a limited subset of the data protection threat model, namely physical loss and re-provisioning (re-use, end of life, return to manufacturer, etc.).
- Tape encryption: Tape encryption requires the ability to map keys to tapes that move from location to location. In addition, the long-term retention of these tapes and the inability to easily rotate keys requires a long-term key store and role-based access control to the keys.
- Email encryption: Email encryption integrated key management requirements focus secure key distribution in a dynamic communication environment and the ability to create a searchable email archive.
- Database encryption: Database encryption integrated key management requirements are focused heavily on securing keys from system and database administrators. If the keys are accessible to administrators, the encryption implementation loses a major portion of its value.
- File encryption: File encryption integrated key management requirements typically involve tying an access-control policy to a key and maintaining that policy based on roles and groups. File encryption is typically implemented on file shares and flat files. These files are accessed by groups of ever-changing individuals in dynamically changing organizations. The ability to restrict system administrators from having access to keys is critical to ensure separation of duties.
Of course, as encryption becomes more widespread and the number of encryption endpoints continues to increase, requirements for consolidation and effectiveness of key management will continue to grow. Balancing the focus between integrated key management needs and centralized EKM needs will ensure that as more encryption is implemented, the overall enterprise key management problem is manageably contained.
So how do you achieve this balance in your enterprise? A few simple rules should be followed to ensure that management complexity does not become the central concern of your data security program.
Rule Number One: Understand the problems at hand
Typically, when organizations are concerned about key management, EKM seems to be the most apparent solution. But just as a chain is only as strong as its weakest link, an enterprise key manager is only as good as the integrated key management systems that utilize it. If any component downstream from a secure key manager exposes the key, or is not designed to cover a particular threat, you have not obtained a secure solution.
Understanding the major problems will help your organization get a grasp on whether EKM is a primary need, or whether a specific system requires better key management.
Rule Number Two: Create a strategy with the future in mind
The adoption of numerous point solutions for the enterprise can create an unmanageable problem. Each point solution for file encryption, database encryption, application encryption, disk encryption and storage encryption delivers a different security and policy management model with varying complexities and vulnerabilities.
Contributing to this problem is the fact that enterprises not only have numerous applications, but typically multiple versions of the same application. Some versions of the same application or database support encryption some don't. To further complicate matters, different versions of the same application or database often offer different encryption approaches that each require different controls to secure keys. Add to that, the mix of encrypting hardware devices such as disks and tapes and before long, it's very easy to find yourself in the position of having a large number of point solutions and an exploded number of integrated key management systems with which to grapple.
As standards-based key management becomes established, today's encryption solutions will evolve to utilize them. What's critical to focus on today is the richness of the security solution, the breadth of the threats it addresses, and the degree to which it protects keys.
Rule Number Three: Invest where it makes sense today
The quest for a universal key management standard is an important one but will take some time. The IEEE 1619.3 committee was created to provide a standards-based EKM solution for storage. This standard will provide a generalized framework for passive management of encryption keys. Passive management of encryption keys only solves a fraction of the overall key management problem, because, as previously stated, it does not ensure the security or proper handling of encryption keys by the encryption system. This is because a true security solution includes the ability to provide strong access control mechanisms, auditing and centralized management of the different security endpoints -- capabilities that are not addressed by the 1619.3 standard.
Once the first version of the standard is published, it will take a considerable amount of time for each EKM vendor to implement the standard. Furthermore, it will take additional time for the many different encryption endpoints to also adopt the standard thus allowing them to communicate with the EKMs.
Bottom line – focus your EKM efforts on the problems that truly require a centralized, independent key management system. Understand your costs for encryption system backup, rollover and recovery processes and compare them against the cost of integrating an API based EKM. You may be better off focusing your budget on better encryption and integrated key management at the endpoint.