The amount of data that organizations handle is growing exponentially, and an increasing proportion of this data is sensitive in some way. Whether it is personally identifiable information (PII) covered under GDPR, CCPA, HIPAA, or other regulations, valuable intellectual property, or other confidential company data, encryption provides strong protection that renders the data useless should it be stolen by cyber criminals.
Every time you encrypt a piece of data, you need to use an “encryption key”. This encryption key is similar to a password — if you have this key, then you can decrypt the data. Therefore, the key acquires the same value as the data itself and must be protected accordingly. As you encrypt more and more data, you acquire more and more of these encryption keys, and the need to manage them properly becomes increasingly important.
If you don’t know where all your encryption keys are, who has access to them, what they are used for, and when they were last used, then you are not in full control of your keys. This leaves you vulnerable to a data breach, with potential consequences such as fines, loss of reputation, and a plummeting share price. So, how do you get such visibility, and how do you stay in control and pass compliance audits as the number of keys continues to increase? And how do you prevent a disgruntled employee from deleting encryption keys and rendering your data permanently inaccessible?
In this article, we look at ten key management practices that are important for staying in control. For more detailed information, the National Institute for Standards and Technology (NIST) Recommendation for Key Management SP 800–57 Parts 1–3 is widely regarded as the most authoritative source.
1. Algorithms and key sizes
It is important that the correct algorithm and key size are selected for each encryption key. This will depend on the intended usage and should take into account a number of factors such as security, performance, interoperability, lifespan, etc. These choices should be made by an experienced cryptographic consultant.
- Algorithm: depending upon the use case, either a symmetric algorithm (such as AES) or an asymmetric algorithm (such as RSA or ECDSA) should be selected.
- Key size: the larger the key, the more secure it is and the longer it will provide protection, but performance may be impacted (especially with large asymmetric keys). The choice of key size (typically 128 or 256 bits for AES keys, or 2,048 or 4,096 bits for RSA keys) should therefore be made carefully.
- Agility: be prepared to change algorithms and/or key sizes, as algorithms become weaker over time. Be aware of the threat of quantum computing and be prepared to shift to new post-quantum algorithms when necessary.
2. Key lifecycle management
Each encryption key has a lifecycle — it is created, has a working lifespan, and finally reaches the end of its useful life. Each of the following steps must be properly controlled:
- Key generation: it is important that keys are cryptographically strong. Like a good password, this requires a high degree of randomness. Software or hardware incorporating a NIST-certified random number generator should be used.
- Key rotation: in the same way that passwords should be updated periodically, it is good practice to update (or “rotate”) encryption keys periodically. The frequency of rotation depends on the type of key and how and where it is used.
- Key retirement: when no longer required, a key should be retired. Generally, this means permanently deleting it to ensure there is no further risk and to reduce the number of active keys being managed.
3. Secure storage
Given the high value of encryption keys, they are an attractive target to cyber criminals, especially where multiple keys are stored in the same place. Best practice is to utilize a hardware security module (HSM) to store keys, as these provide very strong physical and logical security protection and are typically validated to the NIST FIPS 140–2 security requirements for cryptographic modules.
4. Access Control
Keys should only be available on a need-to-know basis. Users must therefore be properly authenticated and authorized to access, manage, and use encryption keys.
Role-based access controls (RBAC) should be used to restrict permissions according to each user’s specific needs, enabling segregation of duties (aka separation of duties) to minimize the risk and/or impact of malicious activities.
For particularly sensitive keys, critical operations (such as key usage, rotation, or deletion) should utilize the dual control (aka four eyes) principle. This requires that a minimum of 2 people (or more generally, a quorum of “m of n” people) must approve the operation before it can happen.
5. Secure Distribution
Keys must often be distributed from their point of creation to the system where they will be used. This should ideally be done with a purpose-built secure API such as the Key Management Interoperability Protocol (KMIP). In any case, on-line key distribution should always be secured by “wrapping” (i.e. encrypting) keys using a transport key and/or using a secure, encrypted, and authenticated communications channel (e.g. TLS).
Where it is necessary to transport a key offline, it should be wrapped under a secure transport key and/or split the key into 2 or 3 components — this employs the “split knowledge principle” to ensure that no individual has access to more than one component, which is useless without the other component(s).
6. Key Usage
Keys should only be used for the purpose they were intended. Best practice is to restrict the permissions on each key so that it may only be used for that purpose (e.g. encryption, decryption, signing, verification, wrapping, unwrapping, etc.). If the key must be distributed to another system, there are various “key block” formats such as ASC X9 TR-31 (used in the payments industry) that bind the permissions to the key.
However keys are stored, it is important that they are always available when needed, otherwise, it will be impossible to use any data that has been encrypted. Thus, high availability is a critical design factor. Similarly, it is important that keys are protected against accidental loss, as this will render the data permanently inaccessible, hence secure backup is another critical consideration.
8. Audit logs
Audit logs should be kept, maintaining a complete history of each key, including creation, usage, and deletion. Every operation should be recorded with information about the action performed, who or what performed it, and when it happened. This is important for compliance audits, but also for forensic investigations should a key ever become compromised. Integration with SIEM tools is useful for combining multiple logs and for further analysis and reporting.
To ensure that best practices are followed, it is important that all key management operations are performed according to strict and well-defined processes. Staff should be properly trained on relevant procedures, and regular audits performed to ensure proper compliance. Processes should be in place to manage the consequences of a key that is suspected or known to be compromised.
10. Centralized Key Management System
As organizations encrypt more and more data, it becomes increasingly difficult to manage keys using manual processes or a fragmented set of different tools, owned and operated by different teams — this simply doesn’t scale. Once you have hundreds or thousands of encryption keys, a centralized key management system (KMS) becomes a necessity.
A centralized KMS helps with:
- Secure and efficient key generation, storage, and distribution
- Enforcing policies and procedures, such as access controls, segregation of duties, and split knowledge
- Simplifying management processes and automating common tasks
- Ensuring keys are highly available and always backed up
- Maintaining a comprehensive audit log
Overall, a centralized KMS helps to reduce risk, improve efficiency, and ensure compliance. However, it is important to select a solution that can fully meet your needs, now and into the future — Reach out to us at firstname.lastname@example.org to get a free copy of the “Fortanix Key Management and Data Security Buyer’s Guide” and get further advice on selecting the right KMS for your organization.
Originally published at https://fortanix.com.