In this, the first part of a three-part article, we start off by looking at what key management is, the function of a key management system and the benefits it provides.
In Part 2, we will consider how the requirement for a new key management system arises and then explore the underlying business drivers and benefits of such a system in each scenario. In the final part, we will examine the business case for introducing a new key management system and define 20 criteria to help you select the optimal solution for both your current and future needs.
Key management is the practice of managing cryptographic keys through their lifecycle. The importance of this is summarized in NIST Special Publication 800-57:
“The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are analogous to the combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with the keys, and the protection afforded to the keys.”
Specifically, key management should provide control over all key operations based on a combination of best practices and user-defined policies; such operations include key generation, import/export, backup, distribution, usage, update, revocation and deletion. It also ensures that keys are stored securely to prevent unauthorized modification and, in the case of secret (symmetric) and private (asymmetric) keys, that they are not disclosed. As each key is unique and cannot be recreated, an often-overlooked consideration is the necessity to protect keys against temporary unavailability, permanent loss or malicious deletion.
A key management system provides a framework for managing keys throughout their lifecycle. Whilst implementations vary, desirable characteristics include:
Generation of keys using a certified hardware random number generator
Storage of keys within a certified, tamper-resistant hardware device
Replication/backup mechanisms to ensure that keys are never lost
Logical access controls with strong user authentication
User-definable roles (e.g. Security Officer, Operator, Auditor)
User-definable, strongly-enforced policies
Protection against rogue employees (e.g. mandatory two-person operations)
Some level of automation for common tasks
Full, tamper-evident audit log.
There are significant benefits that accrue from using a key management system, which are summarized below.
A key management system can enhance your organization’s security posture by imposing technical measures to prevent the loss, compromise or misuse of keys – for example:
High-quality key generation
Physical protection of keys
High availability guarantees
Secure key distribution
Key revocation and deletion
For many organizations, it is important (if not a legal necessity) to comply with various industry, national and international standards and regulations regarding data protection, which typically rely on encryption and thus ultimately on key management. These include PCI-DSS, GDPR, SOX, HIPAA and many others. A key management system enables organizations to simply and efficiently implement the necessary processes and controls around their keys; it also simplifies internal and external audits.
A key management system provides many opportunities for reducing cost:
Eliminates inefficient manual/paper-based processes
Centralizes operations to optimize use of skills and resources
Automates certain processes
Scales to address growth in number of keys
Reduces time spent on compliance and audits
Avoids fines and reputational damage from compromise of keys.
In Part 2, we will consider how the requirement for a new key management system arises and then explore the underlying business drivers and benefits of such a system in each scenario.
NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker