Part 2: The Requirement for a Key Management System
In Part 1 of this three-part article, we introduced the concept of key management and the functions and benefits of a key management system. In this part, we will consider how the requirement for a new key management system arises and then explore the underlying business drivers and benefits of such a system in each scenario.
In the final part, we will examine the business case for introducing a new key management system and define 20 criteria to help you select the optimal solution for both your current and future needs.
The Requirement
There are four scenarios in which a new key management system may be required:
-
You want to replace manual processes, which are laborious and error-prone
-
You want to consolidate multiple existing systems using a single, centralized key management system
-
Your existing system is end-of-life or simply doesn’t meet your needs anymore
-
You are managing cryptographic keys for the first time, and want to do it properly.
Let’s look at each of these scenarios in a little more detail to understand the underlying drivers and business case for change.
Replacing Manual Processes
Manual processes (e.g. using USB thumb drives, spreadsheets and paper-based key ceremonies) may be fine initially, i.e. when you only have a few keys, they’re not all that important, and you have well-trained staff. However, there are many things that can change and motivate the need for an electronic key management system:
-
The number of keys keeps increasing, leading to greater effort and more errors
-
The value of the keys keeps increasing, leading to greater impact from any compromise
-
As the staff who originally set up the manual system move on, new staff may be less capable
-
Security audits become increasingly difficult, along with the costs of audits and the risk of compliance failures.
A comprehensive key management system will solve all these problems – it will be scalable, secure, automated and auditable. This will have the benefits of:
-
Improving the corporate security posture, by eliminating errors and preventing the misuse or compromise of keys
-
Reducing cost and complexity, by automating many tasks and reducing the resources and skills required
-
Simplifying internal and external compliance audits, by enforcing policies and maintaining integrity-protected logs.
Consolidation of Existing Systems
It is not uncommon for organizations to find themselves with a multitude of application-specific or home-grown key management systems, used by different teams to manage different keys in different places. Eventually, however, this becomes untenable due to:
-
Ever-increasing operating costs and resource levels
-
Ever-more complex and time-consuming audits
-
Escalating risks due to lack of overall visibility and clear ownership.
A centralized key management system will solve all these problems – it can be easily managed by a single, small team, it can be easily audited, it will provide complete visibility and enable clear ownership. This will have the benefits of:

-
Reducing costs, by decreasing the amount of skilled resources required
-
Simplifying internal and external compliance audits, by enforcing policies and maintaining integrity-protected logs
-
Improving the corporate security posture, by providing centralized control and visibility of all keys.
Existing System is Out-Dated
You may have an existing system that has done the job well for many years, but for various reasons is no longer good enough for the job:
-
The operating costs are too high (e.g. for an old mainframe-based system)
-
It requires very high skills levels to operate
-
It is unreliable or provides inadequate support for business continuity
-
It can no longer provide adequate security (e.g. due to new threats, reduced risk appetite or new compliance requirements)
-
It cannot scale to meet increasing demands
-
It cannot support new key types that are required.
A modern key management system could solve all these problems, providing greater performance, security, resilience, scalability, ease-of-use and functionality – all at reduced cost.
New Demand to Manage Keys
If managing cryptographic keys is a new requirement for your organization, then (as you can see from the problems above), it makes sense to get it right first time. A good key management system will:
-
Provide banking grade security, through a robust security architecture
-
Support business continuity, through a resilient system architecture
-
Minimize operational costs and resources, through automation and ease-of-use
-
Simplify compliance audits, through enforcement of user-defined policies
-
Ensure clear ownership, through centralization and visibility.
In Part 3, we will examine the business case for introducing a new key management system and define 20 criteria to help you select the optimal solution for both your current and future needs.
References and further reading
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a Key Management System (2018), by Rob Stubbs
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 3: Choosing the Right Key Management System (2018), by Rob Stubbs
-
NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker
- Selected articles on Key Management (2012-today) by Ashiq JA, Guillaume Forget, Martin Eriksen, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
- Selected articles on HSMs (2013-today), by Ashiq JA, Peter Landrock, Peter Smirnoff, Rob Stubs, Steve Marshall, Torben Pedersen and more
Image: "The Light at the End of the Tunnel" courtesy of Ben Chun, Flickr, (CC BY-SA 2.0)