The need for certain encryption technology features can vary from company to company, depending on their individual needs for securing their data. The recent Ponemon Institute survey, Global Encryption Trends Study, showed that some encryption features are considered more essential than others when considering an encryption solution, especially for strong key management purposes.

1. Performance

At the top of the list are encryption features which are most important for their security posture, companies value system performance and low latency. This should come as no surprise because the use of encryption in networking is crucial for protecting large amounts of data. 

2. Policy Enforcement

Read white paper 

It is critical that a chosen encryption technology solution can enforce an organization’s security policy. Otherwise, this will likely result in disruption and cause time and money to be spent trying to resolve incompatibilities, including those involving key management.

3. Supports Both Cloud and On-Premise Deployment

Today, businesses need to secure data that is used in both their cloud and on-premise applications. This makes finding an encryption technology solution that can be deployed in such hybrid environments for key management essential.

4. Key Management New Call-to-action

Protecting and securely managing cryptographic keys is critical for securing sensitive and confidential data. Strong key management is an essential feature that is desired in an encryption technology solution (for security and compliance purposes). Encryption is useless if the keys aren’t managed properly and protected against unauthorized access.

5. Capable of Integrating with Other Security Tools

The ability to integrate with other security tools right out of the box is vital for an encryption technology solution. This saves time, money, and effort, trying to get the solution to work with other critical security tools like SIEM and ID management.

6. Support for Emerging Algorithms

As threats to data security continue to evolve, so will the need for new algorithms for use in key management and other areas. An encryption technology solution should feature support for emerging algorithms, including quantum-resistant ones.

7. System Scalability

No two businesses are exactly alike. An encryption technology solution that may be a good fit now for both Company A and Company B might not be a good fit if Company B’s needs grow exponentially in the future. Therefore, the solution should be scalable to accommodate future system expansions.

8. Formal Product Security Certifications

Depending on its industry, a business may be required to follow one or more sets of regulations related to the handling of security for its data. The tools it uses for security compliance, including its encryption technology solutions, must be certified according to those regulations, for example, FIPS-140 or PCI DSS.

9. Considerations for Separation of Duties and Role-Based Controls

The minimum amount of permissions is always the best policy when providing access to sensitive data. An encryption technology solution should make it easy to allow access based on the separation of duties and role-based controls.

10. Dedicated Hardware that is Tamper Resistant

The physical security of data is a concern for many businesses. Therefore, having a dedicated hardware encryption technology solution like a hardware security module (HSM) that provides tamper-resistance is a feature that many seek.

11. Supports Multiple Applications or Environments

Enterprise systems are the norm for businesses and require shared resources. Most companies want and need an encryption technology solution that can support multiple applications or environments.

12. Regional Segregation Support

The world continues to grow smaller as more companies expand globally. This brings issues like data residency and increased security risks concerning third-party access to data. Companies are subject to a greater variety of compliance issues and regulations based on different regions around the globe. Their encryption technology solutions must be able to provide support in protecting data to be compliant in various regions.

Cryptomathic’s Crypto Key Management System (CKMS) and the Crypto Service Gateway (CSG) - the banking grade key management and encryption solutions

The following list gives specific answers on the encryption features discussed in this article in relation to Cryptomathic’s CKMS and CSG

Encryption Feature

Cryptomathic CKMS

CSG

Performance

As CKMS manages keys and is essentially used to generate keys, it relies on an HSM.

Depending on the type of HSM and keys to be generated, performance may vary from one to another.   

The performance of CSG is highly depending on the attached HSMs as these are the bottlenecks.

CSG is able to run with extreme low latency and very high throughput.

Cryptomathic’s solutions are HSM agnostic, meaning that the HSMs used by the CSG platform can be chosen based on a range of requirements, such as performance.

Policy Enforcement

CKMS manages and enforces the lifecycle of cryptographic keys. Key policy is enforced by using key templates and dual control.

CSG features a centralized policy enforcement engine as a mean for authorization and compliance demonstration. Through the policy, each application is assigned permissions (whitelisting) for specific crypto operations, crypto parameters and keys to use. Thereby, the policy provides an overview of the entire crypto estate in terms enforcing crypto policies and key usage.

It is also able to manage policies based on regional or functional cryptographic zones.

Supports Both Cloud and On-Premise Deployment

We recommend deploying CKMS on-premise for an end-to-end key management and full control of the key lifecycle. CKMS supports BYOK for cloud applications across GCS, AWS and MS Azure.

CSG is a Crypto-as-a-Service (CaaS) platform which can be deployed on premise or in the cloud.

Key Management

Cryptomathic provides an all-embracing banking-grade key management infrastructure compliant with banking standards. This enables complete lifecycle management of all critical application keys – whether they are used in the private, hybrid or public clouds.

CSG is responsible for managing the key usage (which key + algorithm an application can use and how it can use it), while it is depending on key services to provide the key material and to take care of the key management. In this regard CSG is operated together with CKMS, which provides a banking-grade key management system to manage the lifecycle of the keys.

Capable of Integrating with Other Security Tools

CKMS is vendor neutral and designed in an open system architecture. It has a proven history of integration with many other tools and applications including HSMs

CSG provides a number of standard interfaces which can be utilized by 3rd party security tools.

Support for Emerging Algorithms

CKMS relies on the HSM capabilities to support new emerging algorithms.

CSG provides crypto-agility through its policy enforcement mechanism. This enables security officers to make changes to the crypto parameters based on best practices or as a response to identified vulnerabilities in existing algorithms.

CSG’s policy engine acts as a crypto-abstraction layer that streamlines any updates that are needed throughout the lifecycle of an application. When an application requires a new key or support a different algorithm, the security team only needs to update the policy file in CSG – without any code changes to the application.

System Scalability

CKMS can be scaled to meet any requirements, both with the number of servers and HSMs.

CSG provides easy means for system scaling according to the needs of an organization. HSM resources can be easily added or removed without service interruption and additional CSG server instances can be easily deployed. Load balancers ensure that traffic is redirected to the newly added CSG servers.

Formal Product Security Certifications

Cryptomathic products use banking grade hardware security modules that are FIPS 140-2 level 3 or higher certified.

CSG provides banking grade security and uses certified HSMs according to relevant standards and regulations, e.g. PCI DSS and FIPS.

Considerations for Separation of Duties and Role-Based Controls

CKMS uses a role-based access control model. Separation of duties is ensured as well as dual control.

CSG uses a role-based access control scheme, with four administration roles defined. These roles include Security Officer, Operator, Auditor and Signatory. Authorization of application access is managed through the configured policy.

Dedicated Hardware that is Tamper Resistant

CKMS works with all relevant banking-grade HSMs.

Cryptomathic products work with all relevant banking-grade HSMs

Supports Multiple Applications or Environments

CKMS has many standard integration points, referring to the end-to-end integration between the CKMS (which manages the lifecycle of keys) and the application or HSM that uses the application keys.

CSG provides CaaS, which can be utilized by many applications. Interfaces include SDKs for Java, C#, C++, RESTful interface as well as standard APIs (PKCS#11, JCA provider and CNG provider)

 

New call-to-action

Want to know how we can help ?

Get in touch to better understand how our solutions secure ecommerce and billions of transactions worldwide.