Buyer’s Guide to Choosing a Crypto Key Management System - Part 1

by Rob Stubbs on 21. February 2018

Part 1: What is a Key Management System?

In this, the first part of a three-part article, we start off by looking at what key management is, the function of a key management system and the benefits it provides.

In Part 2, we will consider how the requirement for a new key management system arises and then explore the underlying business drivers and benefits of such a system in each scenario. In the final part, we will examine the business case for introducing a new key management system and define 20 criteria to help you select the optimal solution for both your current and future needs.

Key Management Basics

Key management is the practice of managing cryptographic keys through their lifecycle. The importance of this is summarized in NIST Special Publication 800-57:

The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are analogous to the combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with the keys, and the protection afforded to the keys.”

Specifically, key management should provide control over all key operations based on a combination of best practices and user-defined policies; such operations include key generation, import/export, backup, distribution, usage, update, revocation and deletion. It also ensures that keys are stored securely to prevent unauthorized modification and, in the case of secret (symmetric) and private (asymmetric) keys, that they are not disclosed. As each key is unique and cannot be recreated, an often-overlooked consideration is the necessity to protect keys against temporary unavailability, permanent loss or malicious deletion.

The Function of a Key Management System

A key management system provides a framework for managing keys throughout their lifecycle. Whilst implementations vary, desirable characteristics include:

  • Generation of keys using a certified hardware random number generator

  • Storage of keys within a certified, tamper-resistant hardware device

  • Replication/backup mechanisms to ensure that keys are never lost

  • Logical access controls with strong user authentication

  • User-definable roles (e.g. Security Officer, Operator, Auditor)

  • User-definable, strongly-enforced policies

  • Protection against rogue employees (e.g. mandatory two-person operations)

  • Some level of automation for common tasks

  • Full, tamper-evident audit log.

The Benefits of a Key Management System

There are significant benefits that accrue from using a key management system, which are summarized below.

Risk reduction

A key management system can enhance your organization’s security posture by imposing technical measures to prevent the loss, compromise or misuse of keys – for example:

  • High-quality key generation

  • Physical protection of keys

  • Access controls

  • Policy enforcement

  • High availability guarantees

  • Secure key distribution

  • Key revocation and deletion

  • Audit log.


New Call-to-action

For many organizations, it is important (if not a legal necessity) to comply with various industry, national and international standards and regulations regarding data protection, which typically rely on encryption and thus ultimately on key management. These include PCI-DSS, GDPR, SOX, HIPAA and many others. A key management system enables organizations to simply and efficiently implement the necessary processes and controls around their keys; it also simplifies internal and external audits.

Cost reduction

A key management system provides many opportunities for reducing cost:

  • Eliminates inefficient manual/paper-based processes

  • Centralizes operations to optimize use of skills and resources

  • Reduces errors

  • Automates certain processes

  • Scales to address growth in number of keys

  • Reduces time spent on compliance and audits

  • Avoids fines and reputational damage from compromise of keys.

In Part 2, we will consider how the requirement for a new key management system arises and then explore the underlying business drivers and benefits of such a system in each scenario.

Read White Paper

References and further reading

Image: "End of the Tunnel" courtesy of Patrick Breitenbach, Flickr, (CC BY 2.0)

Want to know how we can help ?

Get in touch to better understand how our solutions secure ecommerce and billions of transactions worldwide.