Keep Your Encryption Keys on the Chain with Key Management

Security is already high on the totem pole of IT priorities, but with 2015 kicking off with a massive Anthem health breach, encryption is a hotter topic than ever.

Many compliance mandates require or encourage some form of encryption, including the commonly encountered PCI and HIPAA standards (the HIPAA Security Rule, while it doesn’t require encryption, does require you to prove, in writing, why you believed encryption wasn’t necessary in your special case. Which, let’s be honest, if you are disclosing a large breach to the public as required, encryption was probably necessary).

There are many encryption methods and vendors on the market, but all of them require access to an encryption key in order to unscramble encoded data.  If a malicious agent gets their hands on this key, it’s game over for your encrypted information.

This means that every enterprise needs a secure, organized system to manage all of their encryption keys. As data sets are updated with new keys, new data is added, different encryption systems are introduced, and user access is modified, encryption key management becomes even more essential.
 

Single vs. Multiple Encryption Key Systems

Data-in-motion encryption methods like SSL or VPN have their own key management systems that won’t apply to data-at-rest. With stored data that has been encrypted, you must keep track of  all of your encryption keys: without them, your data is lost forever. This includes old keys to access older data.

A single key system consists of a single key that encrypts data. Any user who has this key can decrypt it, including potential hackers. With a single key system, a key  management strategy can be as simple as logging the keys, when they were used, what data they were used on, and who has access. Include older keys that may have been used for snapshots or backup tapes with older versions of the data. Change notes should also make their way into this log, listing each old key version alongside the date it was updated and the reason for the change.

A multiple key system has at least two keys: one that encrypts the data and one that is used for authentication. Users do not see the encryption key, only their access key. The database that holds the actual encryption keys is often itself double encrypted, so multiple users must enter their individual access keys in order to authorize access.

Implementing Encryption Key Management Systems

It can be difficult to nail down a single encryption vendor or system as enterprises have many disparate systems across different service providers, in-house data centers, clouds, and storage methods.

There are several encryption key standardization measures in progress, including one from IEEE and another from a consortium including Brocade, Cisco, EMC, HP, IBM, and NetApp known as the Key Management Interoperability Protocol (KMIP). However, Gartner estimates that through 2017, few vendors will have standardized their products.

Therefore, organizations should seek to simplify and streamline their encryption key management as much as possible, while still expecting to manage multiple systems. The first step is to create an enterprise-wide data security plan, or plans, that include compliance requirements and data storage locations before recommending the security threats at hand.

To minimize the sprawl involved, consider using stronger access controls before encryption, eliminating or archiving unneeded data, or consolidating infrastructure. From there, seek to choose vendors with support for more than one platform. The fewer vendors, the less complex the key management. Most off the shelf encryption key systems will include automation options for key rotation, or the process of creating, updating, and backing up encryption keys, meaning it is most vital to check in on the system periodically, keeping and examining log files.

Even if encryption key systems can handle much of the day-to-day management of encryption keys, IT staff is still important. Regular backups should be monitored or separately administered. Old backups may have encryption from a system that is no longer in use, so copies of the encryption key system are also necessary.
 

Ultimately, a strong encryption key management system comes down to research, some common sense, and a bit of meticulousness. While there is certainly a cost associated as well, if you get put into Anthem’s shoes, you’ll probably find that price well worth the admission.