Encryption is meant to protect information so that when it falls into the wrong hands, it is unusable.
But what happens when your private key gets compromised? From what we understand, encryption technology is only as good as its weakest link – in this case, your private key becomes one of the weakest links.
Consider that if someone gets their hands on your keys then they’ll be able to decipher the sensitive information that you intended to keep safe and secure. Thus, cryptography keys are one of the most crucial assets that any company has, with the value of the key being equal to that of your most vital data.
Nils Gerhardt, chief technology officer for Ultimaco, explains that key management systems (KSM) serve to simplify the management of an individual’s (and an organisation’s) passwords to help avoid mistakes such as using the same password to protect your Facebook and banking account.
“The whole idea of a key manager is – making the right key available to the right entity at the right time in an auditable fashion,” he added.
He pointed out that failing to manage keys may result in losing critical data, data compromise and failing compliance audits.
“The right key management policy along with the right key managers allows you to effectively protect your data and removes the false sense of security where one may feel safe when the door is locked and the key is hidden under the doormat (as a relatable, layman example).Nils Gerhardt
The most significant advancement in KMS
KSMs have been around for decades and will likely continue to be used by enterprises to help manage the proliferation of cryptographic keys.
Gerhardt recalls that traditional key management was all about managing keys for the on-prem assets. But cloud adaptation in recent years has skyrocketed and that makes one rethink their key management strategy.
“We have data everywhere and it must be protected. With so much data in heterogeneous environments, one ends up creating hundreds of thousands of keys and the management becomes a problem,” he added.
“A good idea is to have a key manager that allows you to manage keys for on-prem as well as cloud is vital to the success along with multi-cloud key management to avoid reliance on a single CSP,” he continued.
Conditions that warrant the use of KSM
According to the Cloud Security Alliance, a reliable KMS helps a business meet compliance and data control requirements, and benefits the overall security of the organisation.
But when does an organisation need a KSM?
Gerhardt posits that for any organisation with data to be protected, the proven protection mechanism is encryption and encryption without the right key management is worthless.
“In a nutshell, a key manager is a hygiene item, and everyone needs one to have full confidence that their data is safe,” he said.
KSM approach tailored to the organisation
One of the outcomes of the pandemic and the now accepted hybrid work has been the realisation of the value of decentralisation – where business departments have autonomy over programmes and solutions that help meet their business goals.
However, shared services functions such as accounting, HR, IT and security have long operated in a centralised model to take advantage of economies of scale. This centralised model potential brings with it inertia in executing change.
Asked whether a centralised or decentralised KSM is a workable approach, Gerhardt suggests a centralised KSM solution works for most organisations. He argued that centralised provides organisations with a single pane of glass and allows the InfoSec team to manage and control the data effectively.
“However, in certain use cases where there are autonomous systems or use cases that are completely driven by a different set of teams, decentralised has opted. A simple example of decentralised key management could be an infrastructure/enterprise key management solution for data at rest versus a payment-specific key management solution,” he elaborated.
The case for Hardware Security Module
At the core of current digital transformation initiatives is a greater reliance on software and IT services. Virtualisation has allowed organisations to develop new applications, and power new business models, that are unencumbered by prevailing hardware technology.
It acts as an invaluable resource for performing all sorts of cryptographic operations without exposing them on a network vulnerable to hacking attempts by malware or other malicious software programs. HSM could be a dedicated hardware system, inbuilt hardware, or just a plugin device.
According to IDC, "HSM-based information and data encryption technology are considered by most security experts to be the most robust technology to protect the confidentiality of information and data linked to the privacy of people. It is also considered to be the best instrument to be protected against cybercrime.
Where does a hardware solution in an environment that is mostly built around a services-centric software strategy?
Gerhardt believes that a true sense of security and control starts with the hardware. In following the compliance and best security guidelines, there are only three approaches that are allowed towards storing key material:
- Stored in the form of 2 or more components managed under the principles of dual access and split knowledge
- Encrypted under a higher-level key or Key Encryption Key (KEK)
- Stored in a tamper-evident and responsive Hardware Security Module.
“When and if something is stored in software, the odds of someone finding it or deciphering it are way more than the Hardware you have the ultimate protection via physical and local controls where the system is designed following the stringent guidelines defined by NIST PCI, etc,” he continued.
Guidelines for choosing the right key manager
Asked to recommend guidelines for choosing the right key manager for the organisation, Gerhardt shared the following:
- Secure – is it vetted by compliance agencies; has it been tested against one of the most stringent regulatory compliances for example – FIPS.
- Manageable – How easy is it to manage it? I would prefer something that is – do it once, do it right and forget forever kind of solution
- Available – is it clustered (Active-Active), does it provide enough fault tolerance, is the hardware reliable.
- Interoperable – Key management is all about integrations and one should choose the key manager that integrates with all my assets and have room for expansion
- Scalable – Does the key manager scale with my requirements and scale? I do not want to get into a situation where a key manager (due to the lack of features) is hindering my growth or slowing me down.
- Agile/Programmable – A KMS solution must be capable of accommodating today’s algorithm suites as well as tomorrow’s PQ algorithm suites. This is probably covered by Manish’s scalable bullet but opens the door a little more for you to talk about PQ and its impact on key management.
Click on the PodChat player and listen to Gerhardt elaborate on the importance of KSMs in today’s digital-centric business environment.
- Key management systems (KMS) – what are they and why do we need them?
- What is the most significant advancement in KMS in recent years?
- What business/operating conditions would warrant the use of KMS?
- Centralised vs Decentralised KSM – how to decide which is best for my operating model?
- In the digital economy where many business initiatives are reliant on software technology, why do we need a hardware-based solution such as HSM?
- Can you provide perhaps the top 3 guidelines when choosing a key manager?
- Long-term trends, quantum computing a real threat to our KSM strategies today?
- In addition to KMS and HSMs, are there other relevant trends and areas to consider?