How to Manage Encryption Keys
What are encryption keys?
Encryption keys are alphanumeric codes or sequences of characters that are used, together with an algorithm or mathematical process, to transform plain text data that anyone can read into scrambled cipher text that is unreadable unless decrypted. Encryption keys are used to protect private and sensitive data in storage, in transit, and in use. Encrypted data or cipher text can only be read once it is descrambled with its associated decryption key.
Encryption keys can be symmetric or asymmetric. When a symmetric encryption key is used, the same key is employed to encrypt and then decrypt the data back to readable text. When asymmetric keys are used, one publicly shared key (public key) encrypts the plain text data and a different key, one that is never shared and kept private (private key), is used to decrypt the data. Whether using symmetric or asymmetric encryption, the objective is to maintain the confidentiality of the encrypted data. Even if the encrypted data falls into the wrong hands, the data remains protected. For this reason, protecting the keys is critical – lose the keys, lose the data.
Why is encryption so common today?
Encryption has a long history and has been used over time, particularly in warfare. Early Greeks used transposition ciphers (a type of encryption) to protect information from falling into enemy hands. In modern times, and with the advent of the information age, encryption has become an indispensable tool to protect data and applications. Initially used primarily in banking and financial applications, its adoption has become widespread across the digital transformation space, becoming a mandated requirement in many regulated industries.
Where is encryption used?
Today, encryption has become a best practice, and is used across a wide spectrum of applications and industries. As more and more everyday activities are carried online, ensuring the confidentiality and integrity of these transactions is critical. Banking, finance, e-commerce, e-government, and healthcare are only a few of the many industries that make extensive use of encryption technology. Most people use encryption every day without even knowing. Whenever you make a purchase online, the order and payment information is encrypted with Transport Layer Security/Secure Socket Layer (TLS/SSL) – a widely used standard that employs both symmetric and asymmetric encryption to secure online connections.
When is encryption used?
Encryption is used to protect the confidentiality of information. Organizations processing sensitive data such as their own intellectual property (IP) and data on their clients including personal identifiable information (PII), personal health information (PHI), payment data that has credit card numbers, and other forms of data that are tied to individuals are often required by various jurisdictions around the globe to protect the data. As organizations store more and more sensitive data to carry on their daily business, storage repositories have become major targets for attacks. As a result, both data in transit (traversing networks) and data at rest (in storage) are typically encrypted to protect from attacks that can compromise their confidentiality, cripple business, and compromise the reputation of organizations.
As information has become the engine that powers modern business, data has come to be an important resource. Government and industry regulatory entities around the globe have stepped up enforcement efforts to ensure the protection of data and the privacy of the individual whose data is being collected. The new regulatory environment has made encryption top of mind for organizational leaders including chief information officers (CIOs), chief information security officers (CISOs), and compliance officers across many industries. This has led to encryption being increasingly build into many applications. Because encryption desensitizes the data, it can also de-scope the extent of certain regulations, increasing security and reducing cost.
Why is key management important?
Encryption is an important tool to protect organizations from data breaches that can cause significant economic and reputational damage. However, encryption can only be as good as the degree to which its associated keys are protected. If one thinks of encryption as the lock on your front door, it can only effectively secure your possessions if you adequately protect the key. Leaving the key under your door mat defeats the protection that the lock provides. If one does not protect the encryption keys, there is no point in encrypting the data – find the keys, access the data. Therefore, sound cryptographic key management is essential to ensure the effectiveness of any data encryption scheme.
Encryption key management includes two main aspects: lifecycle management and access management. Lifecycle management involves the generation, use, storage, update, archive, and destruction of critical cryptographic keys. Access management ensures that only authenticated and authorized users can utilize the keys to encrypt and decrypt the data. It is important to highlight that users today include both humans as well as applications (machines). In fact, more machines typically need access to data than real people. To enable authentication and authorization of users, people and machine identities need to be issued for subsequent validation. This is where a public key infrastructure (PKI) also becomes part of a comprehensive key management strategy.
What makes a good key?
The quality of a cryptographic key is measured by the degree to which it can be defeated by brute force. Like passwords that need to be strong and not be easily guessed, keys need to also be strong, developed using true random number generators. The Federal Information Processing Standards (FIPS) provide guidance on the use of approved hardware-based random number generators. These are typically delivered by certified hardware security modules (HSMs) - dedicated platforms that generate and manage strong keys throughout their lifecycle. While HSMs have traditionally been deployed on-premises, migration to the cloud has also made HSMs available as a subscription-based service. Cloud-based HSMs deliver dedicated hardware platforms as a service for customers to generate and manage keys without the need to buy and maintain their own equipment. When moving applications and data to the cloud, organizations need to think about how the level of ownership, control and possession changes to ensure a strong security posture across the expanding computing ecosystem.
Why do cryptographic keys need protection?
Keys, whether used for encryption to protect the confidentiality of data or for signature to protect its provenance and integrity, underpin the security of the cryptographic process. No matter how strong the algorithm used to encrypt or sign the data, if the associated key is compromised, the security of the process is defeated. For this reason, protecting cryptographic keys is of critical importance.
Because of the random nature of keys that we described earlier, the location of keys in software can be somewhat easy to identify. Attackers looking for sensitive data will go after the keys, as they know that if they get the keys, they can get the data. Keys stored in software can therefore be located and obtained, putting in danger the security of the encrypted data. For this reason, HSMs should always be used to protect keys. The use of HSMs as a root of trust has become a best practice in the cybersecurity industry, recommended by security professionals and many leading application vendors.
Another factor to take into consideration for protecting keys is not only access from external attackers, but also from insiders. The use of HSMs to protect and manage keys provides mechanisms to establish dual controls, so no single internal individual or entity can change key use policies and effectively subvert established security mechanisms. Quorum schemes where a pre-determined minimum set of individuals must come together to affect any changes to the HSM and its key management functions also provides enhanced levels of security.
What does a key management system provide?
A key management system provides the underpinning centralized root of trust necessary to enforce the data security policy across an organization. Controlling not only the lifecycle of all keys, but also maintaining timestamped logs of all user access, it provides a vital tool for auditing and compliance. With increasing cybersecurity threats and growing government and industry regulations, key management systems are becoming indispensable.
Why is key management important for regulatory compliance?
A growing number of government and industry data security regulations require strong encryption and effective cryptographic key management for compliance. Citizen privacy laws such as the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as industry regulations such as the Payment Card Industry Data Security Standard (PCI DSS) among others specifically recognize the need for strong encryption and key management, including the use of certified products to facilitate compliance.