Buyer’s Guide to Choosing a Crypto Key Management System - Part 2

Part 2: The Requirement for a Key Management System

In Part 1 of this three-part article, we introduced the concept of key management and the functions and benefits of a key management system. In this part, we will consider how the requirement for a new key management system arises and then explore the underlying business drivers and benefits of such a system in each scenario.

In the final part, we will examine the business case for introducing a new key management system and define 20 criteria to help you select the optimal solution for both your current and future needs.

The Requirement

There are four scenarios in which a new key management system may be required:

1. You want to replace manual processes, which are laborious and error-prone

2. You want to consolidate multiple existing systems using a single, centralized key management system

3. Your existing system is end-of-life or simply doesn’t meet your needs anymore

4. You are managing cryptographic keys for the first time, and want to do it properly.

Let’s look at each of these scenarios in a little more detail to understand the underlying drivers and business case for change.

Replacing Manual Processes

Manual processes (e.g. using USB thumb drives, spreadsheets and paper-based key ceremonies) may be fine initially, i.e. when you only have a few keys, they’re not all that important, and you have well-trained staff. However, there are many things that can change and motivate the need for an electronic key management system:

• The number of keys keeps increasing, leading to greater effort and more errors

• The value of the keys keeps increasing, leading to greater impact from any compromise

• As the staff who originally set up the manual system move on, new staff may be less capable

• Security audits become increasingly difficult, along with the costs of audits and the risk of compliance failures.

A comprehensive key management system will solve all these problems – it will be scalable, secure, automated and auditable. This will have the benefits of:

• Improving the corporate security posture, by eliminating errors and preventing the misuse or compromise of keys

• Reducing cost and complexity, by automating many tasks and reducing the resources and skills required

• Simplifying internal and external compliance audits, by enforcing policies and maintaining integrity-protected logs.

Consolidation of Existing Systems

It is not uncommon for organizations to find themselves with a multitude of application-specific or home-grown key management systems, used by different teams to manage different keys in different places. Eventually, however, this becomes untenable due to:

• Ever-increasing operating costs and resource levels

• Ever-more complex and time-consuming audits

• Escalating risks due to lack of overall visibility and clear ownership.

A centralized key management system will solve all these problems – it can be easily managed by a single, small team, it can be easily audited, it will provide complete visibility and enable clear ownership. This will have the benefits of:

• Reducing costs, by decreasing the amount of skilled resources required

• Simplifying internal and external compliance audits, by enforcing policies and maintaining integrity-protected logs

• Improving the corporate security posture, by providing centralized control and visibility of all keys.

Existing System is Out-Dated

You may have an existing system that has done the job well for many years, but for various reasons is no longer good enough for the job:

• The vendor may be ending support for the system

• The operating costs are too high (e.g. for an old mainframe-based system)

• It requires very high skills levels to operate

• It is unreliable or provides inadequate support for business continuity

• It can no longer provide adequate security (e.g. due to new threats, reduced risk appetite or new compliance requirements)

• It cannot scale to meet increasing demands

• It cannot support new key types that are required.

A modern key management system could solve all these problems, providing greater performance, security, resilience, scalability, ease-of-use and functionality – all at reduced cost.

New Demand to Manage Keys

If managing cryptographic keys is a new requirement for your organization, then (as you can see from the problems above), it makes sense to get it right first time. A good key management system will:

• Provide banking grade security, through a robust security architecture

• Support business continuity, through a resilient system architecture

• Minimize operational costs and resources, through automation and ease-of-use

• Simplify compliance audits, through enforcement of user-defined policies

• Ensure clear ownership, through centralization and visibility.

In Part 3, we will examine the business case for introducing a new key management system and define 20 criteria to help you select the optimal solution for both your current and future needs.

References and further reading

• Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a Key Management System (2018), by Rob Stubbs
• Buyer’s Guide to Choosing a Crypto Key Management System - Part 3: Choosing the Right Key Management System (2018), by Rob Stubbs
•  

• NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker

•  
• Selected articles on Key Management (2012-today) by Ashiq JA, Guillaume Forget, Martin Eriksen, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
• Selected articles on HSMs (2013-today), by Ashiq JA, Peter Landrock, Peter Smirnoff, Rob Stubs, Steve Marshall, Torben Pedersen and more

Image: "The Light at the End of the Tunnel" courtesy of Ben Chun, Flickr, (CC BY-SA 2.0)