This article explains some of the cryptographic key management tasks involved in demonstrating and proving compliance to acceptable standards, and how this process can be simplified by centralization, automation, and adequate preparation.
A key management system should be audited periodically to ensure that it complies with the standards set by governing authorities. All keys in any type of system must be managed according to the guidelines set by compliance requirements, both internally and externally. This is becoming the determining factor in how keys are managed. Each of the stages within the life cycle of keys must be checked for security with particular administrative tasks. The auditing process will vary depending on the industry, the type of environment, and other factors. The process of documenting and proving compliance can be very difficult and costly for an organization. The actual implementation of the system is often simple in comparison.
In order to avoid excessive costs and overhead when implementing a particular key management solution, it is important to get an understanding of key management compliance requirements before much thought has been given to the implementation. Organizations need to understand exactly what is necessary to achieve compliance, and then design their system accordingly, while considering the environment and processes within scope.
There are three basic compliance domains that have their own individual requirements for achieving compliance:
Working alongside physical security, logical security endeavors to protect data and information within an organization from fraudulent use. This involves specific requirements for cryptographic, infrastructure and software design.
This involves assigning roles/privileges to personnel for accessing information and performing other sensitive activities. Security clearance must be emphasized. As mentioned above, no single person should be allowed to access critical material or data, and all contact with such material and data must be thoroughly recorded.
Since compliance measures are dependent on industry, it is important to know which compliance authorities are relevant to the organization.
Two of the compliance authorities that are relevant to the financial services sector are NIST (National Institute of Standards and Technology) and The Payment Card Industry Security Standards Council (PCI SSC).
There are also a large number of other external compliance authorities that may need to be looked into, which are highly dependent on industry.
As though the rigid requirements imposed by these organizations are not enough, many large organizations, such as government institutions and banks, have their own internal audit departments with an even stricter set of requirements.
Using a centralized and automated key management system has several advantages as far as achieving compliance. This would be much simpler that systems of the past, where each application would have a separate key management interface. The overhead required to audit these KMS interfaces becomes quite excessive. In addition, these interfaces may be incompatible.
Automating the process can simplify the compliance procedures and processes by reducing the human error factor, since humans are very prone to making mistakes, and don’t always have the best intentions. Automation is also much faster, and eliminates the need for manual key management, which is very time demanding.
The tasks involved in demonstrating and proving compliance to acceptable standards can be a major headache for any organization. This process also can be very expensive if adequate preparations are not made. This is why it’s important to have organized compliance procedures already in place when the time comes, and then go through the compliance process one step at a time, while maintaining any documentation and updates.
Having the right equipment installed along with trained personnel will greatly improve chances for compliance approval. Once the final approval is given, an organization can have the confidence that its security measures are well under control.