How to implement efficient Key Management in a Legacy Infrastructure

This article discusses the various issues around key management and presents Cryptomathic’s approach to central key and crypto management that has been adopted by major banks. To protect sensitive data, many banking and finance organizations face challenges during the implementation and maintenance of cryptography on both new projects and legacy systems.

Over time, major banking organizations adopted network-based Hardware Security Modules (HSMs) for securing mission-critical infrastructures such as Public Key Infrastructure (PKI) and online transactions.

HSMs are dedicated hardware systems designed to store and manage private and public keys. The significant increase of HSMs in organizations has led to scalability issues and challenges in managing cryptographic implementations.

Do you see an increase in HSM purchases?

Some of the challenges faced by financial organizations dealing with multi-vendor HSMs include:

1. Increase in cost for training employees
2. Lack of flexibility and scalability in project implementations
3. No centralized control and policy management

With the explosion in the number of HSMs purchased in an organization, cryptographic decisions such as algorithms, key sizes, and crypto-periods are often enforced on a per-project basis. This reduces the flexibility and scalability of projects. 

According to experts, deprecating a cryptographic algorithm or hash (MD5, SHA1, DES) in such scenarios will be highly expensive. Another consequence of large numbers of HSMs will also result in additional training costs for developers and architects to get familiar with the different brands of HSM. 

Organizations have been searching for solutions to avoid significant financial burdens by utilizing existing HSM infrastructure and business capacity. An HSM vendor-neutral cryptographic solution was necessary to address these issues. 

Cryptomathic was well aware of the problems occurring in large-scale deployments. Crypto Service Gateway (CSG) was developed to tackle the scalability and flexibility issues of multi-vendor HSMs.

Centralized control and policy management for true crypto-agility

Controlling everything from one place is the most simple and efficient way to manage crypto.

One of the toughest jobs in crypto management is policy enforcement.

A centralized and granular cryptographic policy can enable seamless updates for all required cryptographic functions without any changes in the application code.

Organizations wanted a solution that provides centralized policy enforcement, wherein the system collects all relevant information in a single place for easy audit and provides it in human-readable form so that demonstrating compliance with internal and external policies can be much easier.

The CSG solution offered by Cryptomathic was designed to tackle all of the concerns discussed thus far to offer a centralized crypto service and monitoring capabilities. Centralized controls allow the business to restrict access to cryptographic functions and enforce policies on key length, rotation, and mode of operation.