/Logo%202023.svg "Logo 2023"){kind=small}
/Group.svg "Group"){kind=small}
Ulrich Scholten (guest) & Stefan Hansen
Securely managing cryptographic keys is typically the most difficult part of encryption. In the recent Ponemon Institute survey, Global Encryption Trends Study, the following nine types of keys were identified as the most difficult to manage:
- Keys used for external hosted or cloud services, including BYOK (Bring Your Own Key) keys
- SSH (Secure Shell) keys that are used to login remotely from one system to another, including remotely managing network infrastructure
- Signing keys, including those used for digital signatures or code signing
- Encryption keys used by end users, including those used for email or full disk encryption
- Payments-related keys, like those used to secure ATM and POS transactions as required under PCI DSS
- Encryption keys used to secure archived data
- Encryption keys used for backups and storage of data
- Keys that are embedded into devices, including those used for IoT devices or in device production environments at time of manufacture
- Keys that are used with TLS/SSL for communications security over computer networks
It is a requirement for many companies to securely manage most of the keys listed above in order to secure their sensitive and confidential data. Depending on their industry, some companies, especially those in the financial or healthcare sectors, are held to a higher standard that requires more intensive methods and dedicated tools to keep their customers’/patients’ information secured on their systems.
Most Commonly Deployed Key Management Systems
When asked how they were approaching their key management challenges, the companies surveyed identified multiple types of systems they had deployed, including:
- Formal key management infrastructure (KMI)
- Formal key management policy (KMP)
- Manual processes, including creating a spreadsheet or
systems - Central key management system/server
- Removable media, including USB thumb drives or CDROMs
- Software-based wallets and key stores
- Hardware security modules that provide both physical and logical protection
- Smart cards
While many of these key management systems might accomplish what some of the surveyed companies need to manage their cryptographic keys, there is a wide disparity in the levels of security and reliability offered by many of the methods.
Out of the list of the most commonly deployed key management systems, organizations in Germany, the United States, and the Middle East are more likely to deploy HSMs because of the security and reliability they provide for cryptographic keys.
Key Management Solutions and Advice for Organizations With Highly Sensitive Data
Pioneering banking-grade cryptographic systems and key management for more than 30 years, Cryptomathic's solutions are found in major banks and card providers across the globe. The cloud and the ongoing digitization of processes has extended the traditional core customer group to include insurance, healthcare services, automotives and many other high value industries.
Cryptomathic’s advice for the choice or upgrade of Key Management Infrastructures in financial or government institutions and companies with sensitive data or valuable assets is:
- Today’s key management solutions in most industry segments need to embrace hybrid infrastructures including clouds and local data centers.
- Compliance to standards (like PCI DSS, FIPS 140-2/-3, ...) shall be considered from the beginning.
- Central control and auditability is crucial and should remain in the customer’s hand - even across hybrid infrastructures.
- Utilising banking-grade HSMs ( FIPS 140-2 level 3) in conjunction with a complete Key Life Cycle Management System is advocated, for secure handling and generation of strong keys.
- In the advent of post quantum cryptography, crypto-agility is a must. Cryptomathic suggests to manage HSMs and crypto-applications via a centralized crypto agile platform, allowing to update policies and algorithms centrally without impacting the applications. We also advise a blended protection strategy with sequences of compliant algorithms extended by one of NIST’s post quantum candidates
