Blog - Cryptomathic

Key Management – A Question of Ownership

Written by Rob Stubbs | 17. January 2018

This article looks at the problems associated with key management that are common in many businesses today, where there is no clear ownership; then it examines the benefits of a centralized key management system and offers advice on building the business case to demonstrate both operational cost savings and a reduction in corporate risk.

Who Owns Your Keys?

Cryptographic keys are at the heart of any electronic security system, whether used for encryption, authentication, integrity protection or non-repudiation. Any compromise can fatally undermine the security application using the affected keys, exposing your business to impacts such as data breach, financial loss, service downtime, reputational damage and regulatory fines.

As the deployment of cryptographic systems has multiplied over the last decade, many businesses have found themselves with keys spread across multiple isolated and fragmented systems in different parts of their organization, and with no unified policy or clear ownership[1]. This creates many problems, such as:

  • Poor physical and logical protection of keys (e.g. USB thumb drives, lack of strict access controls)
  • Errors arising through lack of policy and the use of manual processes (e.g. paper, spreadsheets)
  • Knowledge and expertise spread too thinly across the organization
  • Difficulty complying with national/international legislation and industry regulations (e.g. GDPR, PCI-DSS, Sarbanes-Oxley, GLBA, HIPAA, ISO 27001)
  • Complex and expensive annual audits

And these problems only get worse over time, unless a determined effort is made to resolve them once and for all.

Towards a Centralized Key Management System

The solution is to employ a comprehensive, centralized key management system, which provides the following benefits:

  • Capable of supporting all required key types and volumes through the entire key lifecycle
  • Generates high-quality keys using certified hardware random number sources
  • Provides physical protection of keys with anti-tamper measures
  • Enforces business-defined key management policies to simplify regulatory compliance
  • Restricts access to specific individuals, with strong user authentication and dual control
  • Simplifies and automates many processes, minimizing personnel requirements
  • Provides a full audit trail to ease internal and external compliance audits

Return on Investment (ROI)

The project cost can usually be justified by the on-going operational efficiencies alone, with a relatively short pay-back period, although it could equally be justified by the less tangible (but nonetheless very real) reduction in business risk it delivers. A phased migration can always be employed to reduce project risk and deliver progressive benefits and business risk reduction over time.

Implementing a key management system is certainly not trivial – to ensure success, the project should be scoped, resourced and managed accordingly, and the business transformational aspects should not be underestimated. For this reason, and also because of the corporate risk management benefits, the project should be sponsored at the highest level – typically by the Chief Information Security Officer (CISO) – and backed by the CEO, COO and CFO. Only then will the true business case and ROI become clear and the relevant cross-functional teams be motivated to embrace the changes.

Delaying the adoption of a centralized key management system will only prolong the problems, expense and risk associated with a lack of ownership and make the eventual change more difficult and expensive. Therefore, businesses should grasp this nettle today, before the situation gets truly out of-hand.

Cryptomathic CKMS

Cryptomathic’s Crypto Key Management System (CKMS) has evolved over the last 10 years to provide a comprehensive solution that has been successfully employed by many large enterprises around the world. The latest release introduces Bring Your Own Key (BYOK) support with the ability to Manage Your Own Key (MYOK) for external cloud services.


References and Further Reading

  • Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Martin Eriksen, Peter Landrock, Peter Smirnoff, Stefan Hansen and more
Image: What Film am I?, courtesy of rawdonfox, Flickr (CC BY 2.0)