Selecting the Right Key Management System

The protection and secure management of cryptographic keys is crucial for ensuring that cryptography is used in the most effective way to keep data secure. Picking the wrong key management system (KMS) can thwart all the efforts that have been made in using cryptography to protect information.

A Variety of Key Management Systems

At first glance, it might seem like a simple idea to keep a spreadsheet or a written list of the keys locked away. However, human error and scalability issues are common problems with manual key management. The answer to these problems is a computerized key management system.

A modern key management system provides the framework for managing numerous keys throughout their lifecycles. There are multiple types of key management systems and ways a system can be implemented, but the most important characteristics to search for include:

• Ability to support a variety of key types and formats

• Certified hardware random number generator for strong key generation

• Protection for stored keys using a certified, tamper-resistant hardware device

• Automation for common/tedious tasks

• Logical access controls with strong user authentication

• Full tamper-proof audit log

Hardware Security Modules 

Hardware security modules (HSMs) are devices that are often used to generate keys, keep them protected from many logical and physical attacks, and then use the keys in performing cryptographic operations within a secure environment. A standalone HSM could potentially be used as a key management system. However, there are several downsides to this, mainly:

• Managing the keys’ lifecycle can be time-consuming and involves resource-intensive manual tasks

• Scalability is limited as the number of HSMs grows

• Problems with distributing keys securely to external parties

Benefits that the Right Key Management System Brings

There are three main benefits that a key management system brings to organizations:

1. Risk reduction

A key management system elevates security by implementing technical measures that work to prevent the loss, compromise or misuse of keys by:

• Generating high-quality keys

• Physically protecting keys from theft or misuse

• Providing access controls that enforce role-based authority’s management of the system

• Automating key rotation

• Revoking/deleting when keys are compromised

• Guaranteeing services and availability of keys

• Providing signed usage and audit logs

2. Compliance

• PCI DSS

• HIPAA

• GDPR

• SOX

3. Cost reduction

A key management system provides several ways for organizations to reduce costs by:

• Eliminating inefficient manual processes

• Centralizing operations

• Reducing human errors

• Automating specific processes

• Having the ability to scale to allow for growth

• Reducing the time needed to ensure compliance and audits

• Protecting organization from any fines or reputational damage if keys are compromised

Meeting Industry or Project Specific Needs

The market for key management systems is spread across multiple industries where key management is needed, including:

• Defense and military systems, where key availability and protect could be a matter of life and death.

• Banking and finance operations, where key protection is needed to protect reputation and data that are critical to business operations.

• Commercial and enterprise, where encryption keys that are essential for protecting personal data have increased in significance.

Key management systems range from general-purpose, vendor- and application-agnostic to those that are targeted at certain niche and/or proprietary applications, including:

• Long-term data storage

• Cloud applications

• Proprietary

Want to learn more about which key management system is right for your organization? Read the full white paper (below) for all the details on how selecting the right key management system can make all the difference in maintaining cryptographic keys to keep your critical data safe.

Growing Importance of Centralized Key Management Across the Hybrid Cloud

As companies and government institutions adopt digital transformation and the platformization of their services, there is an increase in migrating IT services from on-premise, self-managed data-centers to a variety of public cloud services.

Cloud computing provides major advantages to the banking and financial sector including

• lower capital costs (only applicable when needed)
• elasticity and resilience allowing for rapid and agile development
• growing third party services and service ecosystems allowing to orchestrate composite services rapidly and economically

Yet, security and privacy concerns remain a significant barrier standing between adopting cloud computing for many business-critical applications. Exposing data to third parties implies a critical risk and often collides with compliance requirements by regulatory bodies. Also companies and institutions risk losing control of their own data, running into a vendor lock-in, when the CSPs hold the keys of data encryption.

Key Management, conducted within the own data-center allows creating protected security meshes across the hybrid cloud. The concept is called “Bring Your Own Key” (BYOK). To do so, the key management systems need to be able to provide keys securely to the cloud environments and manage their complete life cycle remotely. In the cloud, the keys need to reside within hardware security modules. To be safe, data, whether at rest, in use or in transit must never be visible to third parties in an unencrypted way. The key management systems also need to be able to generate complete security logs, so that auditing bodies can conduct centralized audits to verify regulatory compliance.

Owning the keys allows companies to move data across various cloud infrastructures, and if needed, to swap CSPs. The company stays in control at any time of the process.

An earlier version of this article was published on January 14, 2019.

References and Further Reading

• Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a key management system (2018), by Rob Stubbs

• Buyer's Guide to Choosing a Crypto Key Management System; Part 2: The Requirement for a Key Management System (2018), by Rob Stubbs

• Buyer’s Guide to Choosing a Crypto Key Management System - Part 3: Choosing the Right Key Management System (2018), by Rob Stubbs

• NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker

• Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more

• CKMS Product Sheet (2016), by Cryptomathic