Mountain West Farm Bureau Insurance
office workers empowered by business technology solutions
BLOG
2
11
2015
12.18.2020

Keep Your Encryption Keys on the Chain with Key Management

Last updated:
9.16.2020
12.18.2020
No items found.
encryption may be the key to securing your data

Security is already high on the totem pole of IT priorities, but with 2015 kicking off with a massive Anthem health breach, encryption is a hotter topic than ever.

Many compliance mandates require or encourage some form of encryption, including the commonly encountered PCI and HIPAA standards (the HIPAA Security Rule, while it doesn’t require encryption, does require you to prove, in writing, why you believed encryption wasn’t necessary in your special case. Which, let’s be honest, if you are disclosing a large breach to the public as required, encryption was probably necessary).

There are many encryption methods and vendors on the market, but all of them require access to an encryption key in order to unscramble encoded data.  If a malicious agent gets their hands on this key, it’s game over for your encrypted information.

This means that every enterprise needs a secure, organized system to manage all of their encryption keys. As data sets are updated with new keys, new data is added, different encryption systems are introduced, and user access is modified, encryption key management becomes even more essential.
 

Single vs. Multiple Encryption Key Systems

Data-in-motion encryption methods like SSL or VPN have their own key management systems that won’t apply to data-at-rest. With stored data that has been encrypted, you must keep track of  all of your encryption keys: without them, your data is lost forever. This includes old keys to access older data.

A single key system consists of a single key that encrypts data. Any user who has this key can decrypt it, including potential hackers. With a single key system, a key  management strategy can be as simple as logging the keys, when they were used, what data they were used on, and who has access. Include older keys that may have been used for snapshots or backup tapes with older versions of the data. Change notes should also make their way into this log, listing each old key version alongside the date it was updated and the reason for the change.

A multiple key system has at least two keys: one that encrypts the data and one that is used for authentication. Users do not see the encryption key, only their access key. The database that holds the actual encryption keys is often itself double encrypted, so multiple users must enter their individual access keys in order to authorize access.

 

Implementing Encryption Key Management Systems

It can be difficult to nail down a single encryption vendor or system as enterprises have many disparate systems across different service providers, in-house data centers, clouds, and storage methods.

There are several encryption key standardization measures in progress, including one from IEEE and another from a consortium including Brocade, Cisco, EMC, HP, IBM, and NetApp known as the Key Management Interoperability Protocol (KMIP). However, Gartner estimates that through 2017, few vendors will have standardized their products.

Therefore, organizations should seek to simplify and streamline their encryption key management as much as possible, while still expecting to manage multiple systems. The first step is to create an enterprise-wide data security plan, or plans, that include compliance requirements and data storage locations before recommending the security threats at hand.

To minimize the sprawl involved, consider using stronger access controls before encryption, eliminating or archiving unneeded data, or consolidating infrastructure. From there, seek to choose vendors with support for more than one platform. The fewer vendors, the less complex the key management. Most off the shelf encryption key systems will include automation options for key rotation, or the process of creating, updating, and backing up encryption keys, meaning it is most vital to check in on the system periodically, keeping and examining log files.

Even if encryption key systems can handle much of the day-to-day management of encryption keys, IT staff is still important. Regular backups should be monitored or separately administered. Old backups may have encryption from a system that is no longer in use, so copies of the encryption key system are also necessary.
 

Ultimately, a strong encryption key management system comes down to research, some common sense, and a bit of meticulousness. While there is certainly a cost associated as well, if you get put into Anthem’s shoes, you’ll probably find that price well worth the admission.

Recent Blog Posts

lunavi logo alternate white and yellow
7.21.2021
07
.
19
.
2021
How Lunavi Approaches Digital Transformation: HostingAdvice Company Profile

For prospective clients and partners, the history, ethos, and capabilities of a vendor are paramount. HostingAdvice.com recently profiled Lunavi to explore our approach.

Learn more
lunavi logo alternate white and yellow
5.20.2021
04
.
26
.
2021
Test Automation Best Practices: Balancing Confidence with Efficiency

Automation can instill confidence to release software and improve the team’s ability to create high-quality applications in the fastest and most efficient way possible. Essentially, it eliminates the need to compromise or choose one set of priorities over another. Instead, it allows teams to strike a balance between confidence/coverage and speed/efficiency. But automation isn’t a one-size-fits-all solution.

Learn more
lunavi logo alternate white and yellow
4.20.2021
04
.
20
.
2021
Building Your Cloud Foundation Part 1: Core Configuration & Governance

This first area of focus establishes your cloud policy, or the way your organization consumes and manages cloud resources. Learn how to establish proper scope and mitigate tangible risks through corporate policy and standards.

Learn more