In this concluding part, we will examine the business case for introducing a new key management system and define 20 criteria to help you select the optimal solution for both your current and future needs.
Read Part 1: introducing the concept of key management and the functions and benefits of a key management system.
Read Part 2: considering how the requirement for a new key management system arises and exploring the underlying business drivers and benefits of such a system in each scenario.
The business case for introducing a key management system is generally quite straightforward. You may already have an existing key management system (or even multiple systems), which may be either proprietary or home-grown, and perhaps once met the needs of the business but are now ineffective and inadequate. Whatever the situation, the case for introducing a new key management system will typically depend on the pain currently being experienced.
If your organization has suffered from key compromises in the past, or perceives the risk and cost of such compromise as sufficiently high as to be potentially catastrophic, then the main business driver will probably be risk reduction. The business case will point towards a solution that minimizes the overall risk profile, and the justification will be the avoidance of fines, law suits and reputational damage that could, in the worst case, destroy the business.
If your organization is struggling to comply with regulations and pass audits, then compliance is likely to be the main driver. Failure to comply with regulations can result in fines (which are becoming increasingly severe) and reputational damage, so the business case will suggest a solution that simplifies compliance and makes audits easier.
If your organization is going through significant IT transformation, then support for the new systems and key migration are likely to be the main drivers, and the business case will select a solution that provides the necessary technical capabilities.
If the number of keys being managed is growing rapidly (as it is in most organizations) and managing them is becoming an increasingly labor-intensive and costly exercise for the organization, then cost reduction is going to be the main driver, and the business case will call for the solution that offers the lowest total cost of ownership.
Whatever the main business driver, it is possible to demonstrate a positive return on investment (ROI) and thus justify the acquisition of a key management system. Even where the main driver is risk, compliance or technology, the operational cost savings will likely yield a rapid payback of the initial investment, and the savings will only grow over time.
The quality of any key management system is a critically important factor when choosing a solution, given the role it plays in underpinning your organization’s critical security applications. Factors to consider include:
Pedigree of the vendor – do they have a global reputation and long track record within the crypto security industry?
Strategic product – is the product a core offering, or just a small sideline?
Security architecture - can the vendor provide a detailed security architecture that shows how various threats are mitigated?
HSM support – does the solution support a choice of independent HSMs?
Physical protection – are keys secured to the FIPS 140-2 standard (ideally Level 3)?
Resilience – does the solution provide for high-availability, backup and disaster-recovery?
Compliance – can the vendor show how it addresses the entire key lifecycle to aid compliance with relevant regulations?
Credibility – is the product proven and backed up by high-profile references or case studies?
Support – can the vendor provide professional services to help with design and implementation, and a high quality of on-going maintenance and support (on a 24/7 basis if required)?
Future - is the product being actively maintained and updated in line with market trends?
Unless you have a very narrow use-case, then a broad range of capabilities is also important to address not just your current, but also your future needs. Factors to consider include:
Application agnosticism – can the solution manage keys for a broad range of different applications?
Vendor agnosticism – can the solution manage keys for applications other than the vendor’s own applications?
Supported key types – does the solution support a wide range of symmetric and asymmetric key types, lengths and formats (including any specific to your applications or industry)?
Secure key import/export – does the solution allow key import and export wrapped under suitable key encryption keys?
Cloud enablement – will the solution support transitioning applications to the cloud through BYOK integration, where appropriate?
User authentication – does the solution provide strong user authentication for the various administration roles?
Policy control – does the solution enforce policy, including user-defined roles and privileges and two-person operations with asynchronous approvals?
Audit – does the solution provide a secure, integrity-protected audit log?
Integration – will the solution integrate with your applications, and can the vendor offer custom integrations if required?
Automation – does the product offer automation options, e.g. for key renewal and key distribution?
There are many good reasons to use a key management system, and many benefits that will result from that, provided the choice is made carefully. The selection criteria above should help you find the optimal key management system for your needs.
NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker
Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
CKMS Product Sheet (2016), by Cryptomathic
White Paper – Deploying CKMS Within a Business (2017), by Cryptomathic
Case Study – Swedbank (2017), by Cryptomathic