Everything You Need to Know about Encryption Key Management
To provide effective data protection and application defense and remain in compliance, organizations today need to protect their most critical data as it is created, transmitted, and stored. This requires companies to successfully encrypt this data, a process that raises its own challenges related to encryption key management and effectively implementing a key management server (KMS) solution. This article examines the challenges associated with encryption key management while demonstrating how our ARIA KMS solution can overcome them.
Data encryption is growing in adoption, but has proven to be ineffective
So how does encryption work? Encryption, which may also be referred to as crypto, is a well-known technique to protect data, and is a fairly straightforward concept to understand: Users want to make data or content unreadable, except to those who are allowed to see it. To do this, a key scrambles the text into illegible ciphertext, and when prompted decrypts it, or translates it back, to the original format.
As encryption technologies have continued to evolve over the years, adoption is growing faster than ever. According to a 2016 Ponemon Institute survey, 41% of companies are now implementing data encryption. This represents a 7% increase from the prior year and the largest jump in the survey’s 11-year history.
All of this seems great, yet what is troubling is the fact that in a number of recent high profile attacks, the organization’s data actually was encrypted in some capacity, yet it was still compromised.
What is Encryption Key Management and KMS?
Key management servers (KMS) are used to administer the full lifecycle of cryptographic keys and protect them from loss or misuse. KMS solutions, and other Key Management Solutions, ultimately control the generation, usage, storage, archival, and deletion of encryption keys. Additionally, to fully protect their loss or misuse, companies must limit access to these keys, either by restricting physical access or controlling user access by creating clear and defined roles.
To think of it another way, here’s a quote about encryption key management from the NIST and its Recommendation for Key Management solutions technical report that puts KMS in a slightly different context:
“The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are analogous to the combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms.”
What are the critical components performed by key management servers?
To ensure that your online data remains protected, it’s critical to understand the different components of an encryption key management service, so that you know the right questions to ask when evaluating new and existing types of KMS technologies.
- Key storage: As a general principle, the person or company who stores your encrypted content should not also store the keys encrypting that content (unless you’re comfortable with them accessing your data).
- Policy management: While the primary role of encryption keys is to protect data, they can also deliver powerful capabilities to control encrypted information. Policy management is what allows an individual to add and adjust these capabilities. For example, by setting policies on encryption keys, a company can revoke, expire, or prevent the sharing of the keys, and thus of the unencrypted data, too.
- Authentication: This is needed to verify that the person given a decryption key should, in fact, be allowed to receive it. When encrypting digital content, there are several ways to achieve this.
- Authorization: Authorization is the step that verifies the actions that people can take on encrypted data once they’ve been authenticated. It’s the process that enforces encryption key policies and ensures that the encrypted content creator has control of the data that’s been shared.
- Key transmission: This is the final step in the overall encryption key management process and is related to how keys get transmitted to the people who need them yet still restrict access to those who don’t.
Related Resource: Easily Encrypt VMware vSphere Environments with ARIA KMS
Why is encryption key management so hard?
Digital information must remain readily accessible to the many people with whom it is shared. In order for that to effectively occur, encryption keys must be easily and safely distributable at scale. In a traditional key management model, whenever a key expires, employees (usually IT) are responsible for manually updating them—as well as managing the organization’s entire set of keys.
What’s more, the number of methods that we use to communicate online is constantly growing. Even though we create encrypted files on one storage application, we might also need to share those same files; for example, in an email attachment or by using a different storage tool. Encryption keys don’t always work when applied to different platforms, which means we often must manage multiple key exchanges for the same piece of data.
These efforts are usually extremely time-consuming and take valuable time away from employees who could use it to focus on higher value IT initiatives. Worse, a faulty key management practice can lead to the loss of keys, and may even result in a hacker obtaining them and using them to access confidential data.
Encryption key management misconceptions
Even beyond all of these challenges on how to securely implement an encryption key management system, there are also two common encryption misconceptions:
- “If a vendor encrypts your data, they won’t be able to access it.” This is not true. Even if a third party vendors, like Amazon AWS or Microsoft Azure, promise to make your data unreadable to unauthorized parties, most vendors still retain access to your unencrypted content.
- “If you encrypt, hackers cannot get access to your data.” Unfortunately, it’s virtually impossible to guarantee this, especially in today’s world.
Ineffective encryption key management can lead to compliance issues
Additionally, inefficient encryption key management practices may even lead to new security vulnerabilities, such as updating system certificates or locating those systems that need to be updated. It also makes it extremely difficult to comply with industry regulations.
For example, the Payment Card Industry Data Security Standard (PCI DSS) requires that merchants protect sensitive cardholder information from loss and use good security practices to detect and protect against security breaches. PCI DSS has very specific guidance related to encryption keys and key management services.
For example, various subsections of PCI DSS call for organizations to maintain a “documented description of the cryptographic architecture” to protect data, and restrict “access to cryptographic keys to the fewest number of custodians possible.”
Keep in mind this is just one regulation. So many others, such as GDPR, HIPAA, and more all have specific requirements to make sure companies do all they can to protect data from theft, loss, or inappropriate access.
Yet too often, there is a lack of unified tools that can successfully overcome the issues related to management overhead and potential noncompliance.
Related Resource: Successfully Complying with Data Privacy Regulations (How-to Guide)
A new and better approach to key management: the ARIA SDS KMS Application
CSPi’s ARIA SDS Key Management Server (KMS) application delivers intelligent key management functionality for the automatic generation and distribution of encryption keys. It also offers advanced capabilities such as intelligent key management, advanced policy controls, and enhanced access control.
ARIA SDS KMS provides an important advantage for those organizations that need to ensure the right encryption keys are in the right place at the right time all without impacting network or application performance. It is an easy-to-deploy application that takes advantage of the widely accepted key management interoperability protocol (KMIP) for integration with other existing applications.
Today more vendors, are allowing users to use a Bring Your Own Key (BYOK) solution. This includes VMware starting in vSphere 6.5 to encrypt the output of each virtual machine (VM) yet these users still need to provide their a KMIP-compliant KMS solution.
When ARIA KMS is deployed on the Myricom Secure Intelligent Adapter (SIA), organizations gain additional security and performance since a local secure zone-of-trust required to generate and store keys and even execute crypto operations based on those stored keys. When running the ARIA KMS application, utilizing its TrustZone TPM this shields the keys from exposure, even if the host server is breached. It is deployable into the devices they are protecting, such as storage arrays, for a zero footprint implementation of a key management server solution.
Related Resource: 5 Minutes and 4 Easy Steps to VMware Encryption (On-Demand Webinar)
The ARIA SDS KMS application enables enterprise-wide encryption key management with the following capabilities:
- Complete integration with vSphere and other KMIP-based applications for fast, easy set-up and deployment.
- It generates thousands of unique keys per minute, enabling the encryption of all data and application transactions.
- This application is a highly available, secure key storage in a virtual server, on premises or in the cloud.
- Manages all policies across platforms through a single user interface.
- Zero-footprint deployment: ARIA SDS KMS can be deployed directly or built into a vSAN configuration, eliminating the need for connectivity.
Interested in learning more about encryption key management and CSPi’s ARIA KMS solution? Watch our new ARIA KMS video now!
CSPi is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. CSPI’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters.