Best Practice for Lifecycle Crypto Key Management

Organisations utilising cryptography for securing confidential information have the choice of hardware and software based solutions depending on the nature of the data in need of encryption. Arguably, the weakest link in the chain is the cryptographic keys used to encrypt and decrypt the data. This is due to the constantly increasing processing power of today’s computers and the length of time it may take to compromise the keys through an exhaustive key search. Therefore, these organisations must regularly revoke, update and distribute the keys to the relevant parties in order to reduce the risk of internal and external threats.

Many sectors, including banking and governmental, have the time consuming task of tracking and managing ever-increasing numbers of keys to ensure the right keys are in the right place at the right time. The vast amounts of keys needed for the daily operations of applications using crypto will lead to an army of administrators if the keys are managed manually. Hence, automated key management systems are now a necessity for these organisations if they are to keep on top of the workload, and reduce their admin costs.

Key management will come in many variations with some more suitable for enterprise settings while others are more scalable, designed for the huge numbers of keys as utilised in the banking industry. Different requirements need different solutions, however, there are some general issues which must be addressed if the implementation of such systems are to be successful in terms of functionality, compliance, availability and keeping costs at a minimum. A short list of best practice procedures is below:

• De-centralise encryption and decryption
• Centralised lifecycle key management
• Automated key distribution and updating
• Future proof – supporting multiple standards, e.g. PCI DSS, Sarbanes-Oxley and FIPS 140-2
• Support for all major hardware and software security modules to avoid vendor tie-in
• Flexible key attributes to eliminate paperwork
• Comprehensive searchable tamper evident audit logs
• Transparent and streamlined processes
• Base on open standards to Minimise development time when integrating new applications

With a system combining these elements, key management can eliminate many of the risks associated with human error and intentional attacks on the confidential data. It may also allow the flexibility for providing security for applications which might otherwise have been deemed too costly for cryptography.

Regardless of industry or solution an organisation may choose, the above list, at the very least, should be the cornerstone of any key management system, to not only enable a high level of security but to improve processes and provide short and long term savings.

Comments are closed.