This article explains some of the cryptographic key management tasks involved in demonstrating and proving compliance to acceptable standards, and how this process can be simplified by centralization, automation, and adequate preparation.
What is involved in checking a key management system for compliance?
A key management system should be audited periodically to ensure that it complies with the standards set by governing authorities. All keys in any type of system must be managed according to the guidelines set by compliance requirements, both internally and externally. This is becoming the determining factor in how keys are managed. Each of the stages within the life cycle of keys must be checked for security with particular administrative tasks. The auditing process will vary depending on the industry, the type of environment, and other factors. The process of documenting and proving compliance can be very difficult and costly for an organization. The actual implementation of the system is often simple in comparison.
Importance of understanding the scope of compliance measures
In order to avoid excessive costs and overhead when implementing a particular key management solution, it is important to get an understanding of key management compliance requirements before much thought has been given to the implementation. Organizations need to understand exactly what is necessary to achieve compliance, and then design their system accordingly, while considering the environment and processes within scope.
The three domains of Compliance
There are three basic compliance domains that have their own individual requirements for achieving compliance:
- Physical Security
- Logical Security
- Personnel security
Physical SecurityPhysical security involves the protection of physical assets from unauthorized actions by equipping the physical hardware and other materials with security devices, which can be grouped into the following three types:
- Tampering is detectable – This type includes security devices like movement detectors and surveillance cameras, which are designed for detecting any kind of physical tampering.
- Tampering is physically difficult (using tamper resistant equipment) - An example of a tamper resistant device is an HSM securely bolted to the floor and/or placed in a restricted area.
- Tampering triggers appropriate response - A tamper responsive device can trigger an alarm or a countermeasure designed to thwart the tampering.
Working alongside physical security, logical security endeavors to protect data and information within an organization from fraudulent use. This involves specific requirements for cryptographic, infrastructure and software design.
- Cryptographic - Any cryptographic design involves the use of keys to encode and decode information as it is sent or stored. There are many types of keys, each designed for a specific function and algorithm.
- Infrastructure - Infrastructure design involves the use of secure segmented architecture within an organization. These secure segments have protocols that provide restrictions on information access over networks and systems and creates locations for safe data storage. A segment can include things like cabling, switches and firewalls.
- Software design - The entire software development and updating process must proceed in a compliant manner and must follow cryptographic standards when using cryptographic algorithms.
All sensitive activity should have special restrictions like maintaining dual control, which means that at least two persons are present to initiate the action. This ensures that no single person can perform the action. This technique is very effective in preventing against misuse.
Another protective measure is to log security relevant actions to detect if, when, and where any type of security problem occurs.
This involves assigning roles/privileges to personnel for accessing information and performing other sensitive activities. Security clearance must be emphasized. As mentioned above, no single person should be allowed to access critical material or data, and all contact with such material and data must be thoroughly recorded.
Who are the governing authorities for compliance?
Since compliance measures are dependent on industry, it is important to know which compliance authorities are relevant to the organization.
Two of the compliance authorities that are relevant to the financial services sector are NIST (National Institute of Standards and Technology) and The Payment Card Industry Security Standards Council (PCI SSC).
- NIST provides standards that cover the security of computer and cryptographic systems, algorithms, and related technology.
- PCI controls the data security aspects for the entire life cycle of payment cards. They also prescribe the security measures for key management of the cryptographic keys for cardholder data (PCI DSS) and also for cardholder PINs (PCI PTS).
There are also a large number of other external compliance authorities that may need to be looked into, which are highly dependent on industry.
As though the rigid requirements imposed by these organizations are not enough, many large organizations, such as government institutions and banks, have their own internal audit departments with an even stricter set of requirements.
Centralized and Automated Key Management
Using a centralized and automated key management system has several advantages as far as achieving compliance. This would be much simpler that systems of the past, where each application would have a separate key management interface. The overhead required to audit these KMS interfaces becomes quite excessive. In addition, these interfaces may be incompatible.
Automating the process can simplify the compliance procedures and processes by reducing the human error factor, since humans are very prone to making mistakes, and don’t always have the best intentions. Automation is also much faster, and eliminates the need for manual key management, which is very time demanding.
The tasks involved in demonstrating and proving compliance to acceptable standards can be a major headache for any organization. This process also can be very expensive if adequate preparations are not made. This is why it’s important to have organized compliance procedures already in place when the time comes, and then go through the compliance process one step at a time, while maintaining any documentation and updates.
Having the right equipment installed along with trained personnel will greatly improve chances for compliance approval. Once the final approval is given, an organization can have the confidence that its security measures are well under control.
Photo: "Audit Checklist" Courtesy of Boris Dzhingarov, Flickr (CC BY 2.0)