Over the last 10 years, enterprises have moved on from decentralized and distributed key management to centralized key management systems to provide secure and unified key life-cycle management. The regulatory requirements for data privacy, confidentiality and protection have expanded over the years with the introduction of GDPR in the European Union and similar laws in other countries. Such laws automatically affect all enterprises who do business with consumers or partners from these countries. Similarly, the PCI DSS (Payment Card Industry Data Security Standard) provides an information security standard for organizations that handle EMV card transactions across the globe. As the data that needs to be protected increases, the number encryption keys that you need to
maintain goes up.
With decentralized key management systems, end-users were responsible for their own key management. With distributed key management systems, each department in an organization is responsible for its key management protocol. This may be too cumbersome in the current dynamic work environment where employees may frequently move from one department to another either temporarily or permanently. The goal of centralized key management systems has been to achieve uniform key management across the organization using equipment, policies and processes that support all the steps in the life-cycle of a key.
The key management life-cycle and centralized key management systems have evolved over the years supported by innovations in hardware, technology and automation. For example, Hardware Security Modules (HSMs) enable the generation of truly random keys, which are needed for strong cryptography. A smart card management system may be used for distribution and installation of private keys. Regeneration and rotation of keys can now be automated based on a defined set of policies. The question now is, where do we go from here. What are the challenges that key management solutions would have to overcome in the next decade.
Challenges for the next decade
Traditionally enterprise data has resided on enterprise servers and encryption and keys were required to secure this data. The centralized key management system itself was hosted within the enterprise. To improve the scalability and availability of applications, enterprises are now moving Infrastructure and applications to the cloud. Gartner reports that “Through 2022, Gartner projects the market size and growth of the cloud services industry at nearly three time the growth of overall IT services.”
Since there are a number of public cloud operators in the market (e.g., AWS, GCP and Azure) enterprises may go for multi-cloud computing to avoid vendor lock-in and increase reliability. This however brings up the question of how the already complex issue of key management will be handled in a single public-cloud or multi-cloud environment. How can an existing centralized key management system be used for managing encryption keys for data encrypted on the cloud.
With increased use of Internet of Things (IoT) in the business world, data is collected from billions of devices and sensors, scattered across the world resulting in what we call Big Data. However these devices and the data collected and transmitted needs to be secured using keys. Key Management Systems need to scale-up to ensure that they meet the requirement for the large number of keys which is required in this scenario.
Converting Challenges to Opportunities
Technology used in the business world will continue to evolve as seen in the previous examples. The need for securing data will however remain constant. With introduction of public cloud infrastructures, IoT and Big Data technologies, the need for security has magnified due to the physical distribution of data on various types of devices and networks. Centralized key management has been a security best practice for many years. It applies just as strongly in cloud, IoT and big data environments, especially those with wide geographical distribution.
Policies applied in key management systems need to be upgraded accordingly to accommodate this changing landscape of software systems.
Public cloud providers already provide key management services. With a multi-cloud implementation however centralized key management systems would have a slightly modified role of providing management services for keys across the multi-cloud ecosystem.
References and Further Reading
- Gartner Forecasts Worldwide Public Cloud Revenue to Grow 17.5 Percent in 2019 (April 2019), by Gartner
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a key management system (2018), by Rob Stubbs
- Buyer's Guide to Choosing a Crypto Key Management System; Part 2: The Requirement for a Key Management System (2018), by Rob Stubbs
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 3: Choosing the Right Key Management System (2018), by Rob Stubbs
NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker
Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
CKMS Product Sheet (2016), by Cryptomathic