This article introduces and describes the relevant roles needed to successfully manage a key management system in an organisation.
A successful key management system (KMS) should interface effectively with human operators who are performing specific tasks such as defining daily operations, training, domain security policy and so on. Key Management System Security Policy should be written so that the individuals responsible for maintaining the policy can easily understand the policy and correctly perform their roles and responsibilities.
Assigning roles in a Key Management System
Each role in a KMS should have specific authorizations and responsibility defined. KMS documentation or the KMS security policy should define and describe these roles and responsibilities. The persons performing the roles should be provided access to the right set of key and metadata management functions necessary for carrying out the responsibilities of their specific role.
As per NIST, each role may be assigned to multiple individuals , and a single person may have multiple roles. However, certain roles should be separated so that no individual is assigned to both roles at the same time.
For example, audit logs should be managed by someone other than a system administrator in order to detect administrative misuse or abuse.
In addition, it is wise to rotate individuals from roles so as to minimize the likelihood of long-term abuses.
KMS roles include the following:
- System Authority: A system authority is responsible to executive-level management such as the Chief Information Security Officer for the overall operation and security of a KMS.
- System Administrator: System administrators are responsible for the personnel, daily operation, training, maintenance, and related management of a KMS other than its keys. The system administrator is responsible for initially verifying individual identities and then establishing appropriate identifiers for all personnel involved in the operation and use of a KMS. These include users, security auditors, key custodians, operators, maintenance workers, and agents required to vet the credentials of people seeking access to data in the system or use of the KMS.
- Cryptographic Officer: A cryptographic officer is authorized to perform cryptographic initialization and management functions on a KMS and its cryptographic modules.
- Domain Authority: A domain authority is responsible for defining and accepting a Domain Security Policy, for subsequently deciding the conditions necessary for communicating with other security domains, and then for assuring that the conditions are met.
- Key Custodian: A key custodian is designated to distribute and load keys or key splits into a cryptographic module. Key custodians may be used to implement multi-party control and key splitting.
- Key Owner: A key owner is an entity such as person, group, organization, device, or cryptographic module authorized to use a cryptographic key or key pair and whose identifier is associated with a cryptographic key or key pair. For public private key pairs, the association is typically established through a registration process. A symmetric key may have a single specific owner, or multiple owners may share the key.
- KMS User: KMS users utilize the system when key management functions are required to support an application. KMS users may be, and often are, key owners.
- Audit Administrator: An audit administrator is responsible for auditing all aspects of a Key management system to verify its security and authorized operation. In particular, the audit administrator will manage and review the event log and should have no operational responsibilities for the KMS. Audit administrators should not have access to any operational keys other than their own keys.
- Registration Agent: A registration agent is responsible for registering new entities and binding their keys to their identifiers and perhaps other selected metadata. The registration agent may also enter entity information, keys, and metadata into a database used by the KMS.
- Key-Recovery Agent: A key-recovery agent is allowed to recover keys from backup or archive storage after identity verification and authorization of the requesting entity is performed in accordance with the KMS Security Policy.
- KMS Operator: A KMS operator is authorized to initiate the CKMS, monitor performance, and perform backups of the system as directed by the system administrator.
Reference and further reading
- NIST Special Publication 800-130: A Framework for Designing Cryptographic Key Management Systems (2013) by E. Barker, M. Smid, D. Branstad and S.Chokhani
- 10 Tips for a Cryptographic Key Management System in the Banking Industry - a Penetration Testing Perspective (2015) by Ashiq J.A.