3 min read

Buyer’s Guide to Choosing a Crypto Key Management System - Part 1

Buyer’s Guide to Choosing a Crypto Key Management System - Part 1

Part 1: What is a Key Management System?

In this first installment of a three-part series, we look at what key management is, how a key management system works, and what benefits it brings.

In Part 2, we will consider how the requirement for a new key management system arises and then explore the underlying business drivers and benefits of such a system in each scenario. In the final part, we will examine the business case for introducing a new key management system and define 20 criteria to help you select the optimal solution for both your current and future needs.

Key Management Basics

Key management is the practice of managing cryptographic keys throughout their lifecycle. The importance of this is summarized in NIST Special Publication 800-57:

The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are analogous to the combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with the keys, and the protection afforded to the keys.”

Key management, in particular, should enable control over all key operations, including key generation, import/export, backup, distribution, usage, update, revocation, and deletion, based on a combination of best practises and user-defined policies. It also ensures that keys are securely stored to prevent unauthorised alteration and that secret (symmetric) and private (asymmetric) keys are not leaked. Because each key is unique and cannot be replicated, it is critical to secure keys from temporary unavailability, permanent loss, or malicious destruction.

The Function of a Key Management System

A key management system provides a framework for managing keys throughout their lifecycle. While implementations vary, desirable characteristics include:

  • Generation of keys using a certified hardware random number generator

  • Storage of keys within certified, tamper-resistant hardware device

  • Replication/backup mechanisms to ensure that keys are never lost

  • Logical access controls with strong user authentication

  • User-definable roles (e.g., security officer, operator, auditor)

  • User-definable, strongly-enforced policies

  • Protection against rogue employees (e.g. mandatory two-person operations)

  • Some level of automation for common tasks

  • Full, tamper-evident audit log.

The Benefits of a Key Management System

There are significant benefits that accrue from using a key management system, which are summarized below.

Risk reduction

A key management system can enhance your organization’s security posture by imposing technical measures to prevent the loss, compromise, or misuse of keys – for example:

  • High-quality key generation

  • Physical protection of keys

  • Access controls

  • Policy enforcement

  • High availability guarantees

  • Secure key distribution

  • Key revocation and deletion

  • Audit log.

Compliance

New Call-to-action

For many organizations, it is important (if not a legal necessity) to comply with various industry, national, and international standards and regulations regarding data protection, which typically rely on encryption and thus ultimately on key management. These include PCI-DSS, GDPR, SOX, HIPAA and many others. A key management system enables organizations to simply and efficiently implement the necessary processes and controls around their keys; it also simplifies internal and external audits.

 

Cost reduction

A key management system provides many opportunities for reducing costs:

  • Eliminates inefficient manual or paper-based processes

  • Centralizes operations to optimize the use of skills and resources

  • Reduces errors

  • Automates certain processes

  • Scales to address growth in the number of keys

  • Reduces time spent on compliance and audits

  • Avoids fines and reputational damage from compromise of keys.

In Part 2, we will consider how the requirement for a new key management system arises and then explore the underlying business drivers and benefits of such a system in each scenario.

Read White Paper

References and further reading

Image: "End of the Tunnel" courtesy of Patrick Breitenbach, Flickr, (CC BY 2.0)