With the ever increasing number of online services and electronic transactions, business owners are becoming ever more dependent on the use cryptography to prevent sensitive information from cyber attackers.

A Key Management System (KMS) must be designed in a manner that supports the goals of each organization using the KMS. The aim of a security policy is to provide a secure working environment for the organization by establishing required security measures, protocols and controls. 

In this article, we discuss the various issues and present Cryptomathic’s approach to central key and crypto management that has been adopted by major banks. 

Cryptographic keys are used to secure data-at-rest and data-in-transit. Trying to keep them protected yet always available for use is one of the most difficult problems in practical cryptography. Improper key management can lead to key leakage, where an attacker obtains the key and recovers the sensitive messages from the encrypted data.

This article discusses the key management problems and Cryptomathic's approach to solving the challenges faced by large organizations that use cryptography for variety of applications.

Recent revelations in the press have caused industry experts to question just how much trust can be placed in existing cryptographic standards or even in certain methods of generating key material. Companies must be prepared to respond quickly and effectively to such changes in the security landscape, else they risk reputational damage and significant costs in the event of a breach.

To understand why this preparation is challenging, we should consider how cryptography is commonly deployed within a business.

The Enlightenment Opportunities Using Crypto Service Gateway

To date the deployment of encryption services and the techniques used to achieve interoperability and technical standards have always lagged behind what businesses have actually needed, or for that matter, what regulators or certain schemes are enforcing.

Businesses often view the inclusion of using cryptographic techniques at the outset of a project as a necessary project evil. More often than not they will include 'tactical solutions', as the 'production strength' solution will perhaps cost the project 30% more, but more importantly, add an extra 5 weeks to the project's duration. Guess which approach is invariably chosen using current services and techniques.

Development Projects Situations     

This second decade since the Millennium is seeing a major uplift in the use of cryptography in existing and new business systems. This uplift is likely to be disproportionately greater than the actual increase in business transaction volumes. In many instances it is the combined impact of compliance, regulatory and governments (e.g. the ICO -Information Commissioner's Office - in the UK) and perhaps most importantly organisations' customers are demanding that personal and corporate data are protected. Otherwise they move to a supplier who does. Increasingly, the use of encryption techniques is seen as an important part of the solution to the demand for providing secure access to existing business and customer data; via an ever widening range of distribution channels and device form factors.

Managing Hardware Cryptography in the Enterprise since the Millennium

There has been a substantial increase in the use of cryptographic techniques and Hardware Security Modules (HSM's) in larger commercial enterprises, and banks in particular, since the upsurge of online services in the late 1990's. Invariably this has been undertaken on a project basis, with each project having its own goals and initial budget. The enhanced security provided by project based HSM implementations results in complex integration environments that can restrict the ability to securely share HSM resources across systems that use cryptography, thereby requiring security projects to 'duplicate' existing HSM infrastructure for each project's production deployment. For a large organisation, e.g. banks, the consequences of this model are unnecessarily large cryptographic infrastructures - which are becoming increasingly costly and ultimately unsustainable to manage.