Traditionally, end-to-end lifecycle key management was achieved through inefficient paper-based procedures and highly resource intensive tasks performed by 4 or 5 employees, but this inefficient process leads to human errors and is very time and resource consuming. Centralized cryptographic key management is the best solution to overcome such dependency on individuals.
This article discusses the advantages of using a centralized key management system.
A centralized solution allows to flexibly manage a very large number of keys throughout their entire lifecycle. For example, MasterCard Europe used to put much effort into maintaining cryptographic keys, they had staff employed that would travel between their hundreds of member banks and update the keys in their network by entering them manually into each box in the distributed network. Today they manage this process centrally from their secured operations venue with multiple and secure user authentication, each with their unique administrative role and credentials. A fully automated and centralized key management system, such as used by MasterCard, allows a business to maintain their secure infrastructure while significantly reducing costs and improving operational efficiency.
Controlling everything from one place is the most simple and efficient way to manage crypto. A KMS (Key Management Server) should audit security-relevant events by detecting and recording the event, the date and time of the event, and the identity or role of the entity initiating the event. Auditing the cryptographic key lifecycle to identify the state transitions of the key. Auditing and monitoring brings transparency in crypto operations in the organization.
One of the toughest jobs in crypto management is policy enforcement. A centralized and granular cryptographic policy can enable seamless updates for all necessary cryptographic functions without any changes in the application code. Implementing centralized policy enforcement where the system collects all relevant information in a single place for easy audit and in human-readable form makes demonstration of compliance with internal and external policies a more straightforward task.
Efficient operation and optimization is one of the main goals of a key management system. Managing, tracking and updating keys across a distrusted network typically poses a significant overhead to a bank and/or government organization. This requires a comprehensive overview of which of the many keys in the network need attention, then locating exactly where the keys are stored and travelling to each location to manually update the key (this also requires gaining access to the hardware/system that stores the key). .
With the usage of centralized key management, one can manage this process centrally from a secured operations venue with multiple and securely authenticated users, each with their unique administrative role and credentials. The system administrators or operators can update or configure these keys on each application with just a click of a button – even on another continent!
Centralized controls allow the business to restrict access to cryptographic functions and enforce policies on key length, rotation, mode of operation and so on. This helps in meeting regulations and industry guidelines, measures and controls.
In a traditional key management system, important decisions such as algorithms and key size were handled separately for each application or project. This creates a lot of trouble when identifying and removing weak algorithms or ciphers.
For instance, deprecated cryptographic algorithms such as RC4, SHA-1 and MD5 can create lot of trouble for developers, as they are now considered too vulnerable to be deployed. Nevertheless, they are still found in some existing deployments. One reason for this is that identifying and disabling such algorithms in various de-centralized legacy systems is very hard. One of the features of advanced centralized key and cryptographic management solutions is to enable you to easily swap one algorithm with another across the network without any change to application code.
The Cryptomathic Crypto Key Management System (CKMS) has been designed to deliver the above advantages and reduce the enormous increases in work-load and costs associated with traditional key management. CKMS' flexible and automated protocols allow keys to be securely pushed to any key distribution target as and when required and for key custodians the use of asynchronous log-on to projects to add components securely, reducing the need for key ceremonies. Independent of security system or vendor, CKMS provides a flexible and scalable solution to simplify the management of cryptographic keys for virtually all crypto keys across an organisations distributed infrastructure.