• About
  • Subscribe
  • Contact
Wednesday, May 7, 2025
    Login
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
No Result
View All Result
Home Technology Security

PodChats for FutureCIO: Securing data with key management systems

Allan Tan by Allan Tan
November 15, 2022
PodChats for FutureCIO: Securing data with key management systems

PodChats for FutureCIO: Securing data with key management systems

Encryption is meant to protect information so that when it falls into the wrong hands, it is unusable.

But what happens when your private key gets compromised? From what we understand, encryption technology is only as good as its weakest link – in this case, your private key becomes one of the weakest links.

Consider that if someone gets their hands on your keys then they’ll be able to decipher the sensitive information that you intended to keep safe and secure. Thus, cryptography keys are one of the most crucial assets that any company has, with the value of the key being equal to that of your most vital data.

Nils Gerhardt, chief technology officer for Ultimaco, explains that key management systems (KSM) serve to simplify the management of an individual’s (and an organisation’s) passwords to help avoid mistakes such as using the same password to protect your Facebook and banking account.

“The whole idea of a key manager is – making the right key available to the right entity at the right time in an auditable fashion,” he added.

He pointed out that failing to manage keys may result in losing critical data, data compromise and failing compliance audits.

Nils Gerhardt

“The right key management policy along with the right key managers allows you to effectively protect your data and removes the false sense of security where one may feel safe when the door is locked and the key is hidden under the doormat (as a relatable, layman example).

Nils Gerhardt

The most significant advancement in KMS

KSMs have been around for decades and will likely continue to be used by enterprises to help manage the proliferation of cryptographic keys.

Gartner predicts that by 2025, 70% of new access management, governance, administration and privileged access deployments will be converged identity and access management platforms.

Gerhardt recalls that traditional key management was all about managing keys for the on-prem assets. But cloud adaptation in recent years has skyrocketed and that makes one rethink their key management strategy.

“We have data everywhere and it must be protected. With so much data in heterogeneous environments, one ends up creating hundreds of thousands of keys and the management becomes a problem,” he added.

“A good idea is to have a key manager that allows you to manage keys for on-prem as well as cloud is vital to the success along with multi-cloud key management to avoid reliance on a single CSP,” he continued.

Conditions that warrant the use of KSM

According to the Cloud Security Alliance, a reliable KMS helps a business meet compliance and data control requirements, and benefits the overall security of the organisation.

But when does an organisation need a KSM?

Gerhardt posits that for any organisation with data to be protected, the proven protection mechanism is encryption and encryption without the right key management is worthless.

“In a nutshell, a key manager is a hygiene item, and everyone needs one to have full confidence that their data is safe,” he said.

KSM approach tailored to the organisation

One of the outcomes of the pandemic and the now accepted hybrid work has been the realisation of the value of decentralisation – where business departments have autonomy over programmes and solutions that help meet their business goals.

However, shared services functions such as accounting, HR, IT and security have long operated in a centralised model to take advantage of economies of scale. This centralised model potential brings with it inertia in executing change.

Asked whether a centralised or decentralised KSM is a workable approach, Gerhardt suggests a centralised KSM solution works for most organisations. He argued that centralised provides organisations with a single pane of glass and allows the InfoSec team to manage and control the data effectively.

“However, in certain use cases where there are autonomous systems or use cases that are completely driven by a different set of teams, decentralised has opted. A simple example of decentralised key management could be an infrastructure/enterprise key management solution for data at rest versus a payment-specific key management solution,” he elaborated.

The case for Hardware Security Module

At the core of current digital transformation initiatives is a greater reliance on software and IT services. Virtualisation has allowed organisations to develop new applications, and power new business models, that are unencumbered by prevailing hardware technology.

A Hardware Security Module (HSM) is a cryptographic hardware system designed to perform encryption and decryption operations in a highly secured environment.

It acts as an invaluable resource for performing all sorts of cryptographic operations without exposing them on a network vulnerable to hacking attempts by malware or other malicious software programs. HSM could be a dedicated hardware system, inbuilt hardware, or just a plugin device.

According to IDC, "HSM-based information and data encryption technology are considered by most security experts to be the most robust technology to protect the confidentiality of information and data linked to the privacy of people. It is also considered to be the best instrument to be protected against cybercrime.

Where does a hardware solution in an environment that is mostly built around a services-centric software strategy?

Gerhardt believes that a true sense of security and control starts with the hardware. In following the compliance and best security guidelines, there are only three approaches that are allowed towards storing key material:

  1. Stored in the form of 2 or more components managed under the principles of dual access and split knowledge
  2. Encrypted under a higher-level key or Key Encryption Key (KEK)
  3. Stored in a tamper-evident and responsive Hardware Security Module.

“When and if something is stored in software, the odds of someone finding it or deciphering it are way more than the Hardware you have the ultimate protection via physical and local controls where the system is designed following the stringent guidelines defined by NIST PCI, etc,” he continued.

Guidelines for choosing the right key manager

Asked to recommend guidelines for choosing the right key manager for the organisation, Gerhardt shared the following:

  1. Secure – is it vetted by compliance agencies; has it been tested against one of the most stringent regulatory compliances for example – FIPS.
  2. Manageable – How easy is it to manage it? I would prefer something that is – do it once, do it right and forget forever kind of solution
  3. Available – is it clustered (Active-Active), does it provide enough fault tolerance, is the hardware reliable.
  4. Interoperable – Key management is all about integrations and one should choose the key manager that integrates with all my assets and have room for expansion
  5. Scalable – Does the key manager scale with my requirements and scale? I do not want to get into a situation where a key manager (due to the lack of features) is hindering my growth or slowing me down.
  6. Agile/Programmable – A KMS solution must be capable of accommodating today’s algorithm suites as well as tomorrow’s PQ algorithm suites. This is probably covered by Manish’s scalable bullet but opens the door a little more for you to talk about PQ and its impact on key management.
Click on the PodChat player and listen to Gerhardt elaborate on the importance of KSMs in today’s digital-centric business environment.
  1. Key management systems (KMS) – what are they and why do we need them?
  2. What is the most significant advancement in KMS in recent years?
  3. What business/operating conditions would warrant the use of KMS?
  4. Centralised vs Decentralised KSM – how to decide which is best for my operating model?
  5. In the digital economy where many business initiatives are reliant on software technology, why do we need a hardware-based solution such as HSM?
  6. Can you provide perhaps the top 3 guidelines when choosing a key manager?
  7. Long-term trends, quantum computing a real threat to our KSM strategies today?
  8. In addition to KMS and HSMs, are there other relevant trends and areas to consider?
Related:  COVID-19 reveals holes in risk management practices
Tags: Cloud Security AllianceencryptionGartnerhardware security modulekey managementPodchatsUltimaco
Allan Tan

Allan Tan

Allan is Group Editor-in-Chief for CXOCIETY writing for FutureIoT, FutureCIO and FutureCFO. He supports content marketing engagements for CXOCIETY clients, as well as moderates senior-level discussions and speaks at events. Previous Roles He served as Group Editor-in-Chief for Questex Asia concurrent to the Regional Content and Strategy Director role. He was the Director of Technology Practice at Hill+Knowlton in Hong Kong and Director of Client Services at EBA Communications. He also served as Marketing Director for Asia at Hitachi Data Systems and served as Country Sales Manager for HDS’ Philippines. Other sales roles include Encore Computer and First International Computer. He was a Senior Industry Analyst at Dataquest (Gartner Group) covering IT Professional Services for Asia-Pacific. He moved to Hong Kong as a Network Specialist and later MIS Manager at Imagineering/Tech Pacific. He holds a Bachelor of Science in Electronics and Communications Engineering degree and is a certified PICK programmer.

No Result
View All Result

Recent Posts

  • Agentic AI-powered AppSec platform launched for the AI era
  • IDC forecasts GenAI alone will grow at a 59.2% CAGR
  • Dataiku brings new AI capabilities to create and control AI agents
  • Microsoft reveals the rise of a new kind of organisation in the AI era
  • St Luke’s ElderCare enhances data security and user experience with Juniper

Live Poll

Categories

  • Big Data, Analytics & Intelligence
  • Business Applications & Databases
  • Business-IT Alignment
  • Careers
  • Case Studies
  • CISO
  • CISO strategies
  • Cloud, Virtualization, Operating Environments and Middleware
  • Computer, Storage, Networks, Connectivity
  • Corporate Social Responsibility
  • Customer Experience / Engagement
  • Cyber risk management
  • Cyberattacks and data breaches
  • Cybersecurity careers
  • Cybersecurity operations
  • Education
  • Education
  • Finance
  • Finance & Insurance
  • FutureCISO
  • General
  • Governance, Risk and Compliance
  • Government and Public Services
  • Growth Strategies
  • Hospitality & Tourism
  • HR, education and Training
  • Industry Verticals
  • Infrastructure & Platforms
  • Insider threats
  • Latest Stories
  • Logistics & Transportation
  • Management Leadership
  • Manufacturing
  • Media and Telecommunications
  • News Stories
  • Operations
  • Opinion
  • Opinions
  • People
  • Process
  • Remote work
  • Retail & Wholesale
  • Sales & Marketing
  • Security
  • Tactics and Strategies
  • Technology
  • Utilities
  • Videos
  • Vulnerabilities and threats
  • White Papers

Strategic Insights for Chief Information Officers

FutureCIO is about enabling the CIO, his team, the leadership and the enterprise through shared expertise, know-how and experience - through a community of shared interests and goals. It is also about discovering unknown best practices that will help realize new business models.

Quick Links

  • Videos
  • Resources
  • Subscribe
  • Contact

Cxociety Media Brands

  • FutureIoT
  • FutureCFO
  • FutureCIO

Categories

  • Privacy Policy
  • Terms of Use
  • Cookie Policy

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Login to your account below

or

Not a member yet? Register here

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
Login

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Subscribe