BLOG: Best Practices for Encryption Key Management

December 7th, 2020 BLOG: Best Practices for Encryption Key Management
Matthew Likes
Security Architect – Mainline Information Systems


Where Did I Leave My Keys?

This is a mildly stressful question to be asking yourself if you’re running late for a meeting or doctor’s appointment, or even when you need to make a last-minute run to the store. We’ve all been there. But anxiety shoots to a whole new level if you’re asking yourself this question while attempting to restore a critical application from backup after an incident. One lost cryptographic key is all it takes wipe out an entire dataset!


Data Encryption is Everywhere

Cryptography has become an essential component of data security and data protection. From self-encrypting drives to secure virtual machines to websites and secure chat, today’s systems are almost all built using algorithms that randomly generate strings for data encryption and decryption to protect sensitive data. These algorithms are typically built to align with the National Institute of Standards and Technology (NIST) Encryption Standards. But for all the best practices that individuals and organizations follow to attain the peace-of-mind that data encryption brings, it introduces a whole new set of risks and responsibilities.

Here are some questions to ask yourself:

  • How often are we rotating our cryptographic keys?
  • How long do our keys last before they expire?

If you don’t have solid answers to these questions, who in your organizations does? Is it your storage admin? Your data security officer? Or, could it be some lowlife sitting in a basement halfway across the world just waiting for the right moment to lock you out using authentication data that resides in your own tools?


Managing the Lifecycle of Cryptographic Keys

It is impossible to overstress how important it is to have defined processes and policies around managing the lifecycle of your keys. However, the challenge doesn’t have to be some intractable problem. With a little planning and the right tools, managing the lifecycle of your encryption keys can become as routine as paying your electricity bill.

So what is the best way for us to manage our keys?


Key Management Systems for Data Security

Key Management Servers (KMS)

Key Management Servers are a simple-yet-elegant technology that has been around for many years. There are different flavors available but the industry has settled on some standards. One of these standards is the Key Management Interoperability Protocol (KMIP) that is managed by OASIS.

The image above is taken from a product called IBM Security Key Lifecycle Manager (SKLM). This is a relatively easy and inexpensive solution to deploy. It supports any application or device that communicates over KMIP and has great redundancy features built right into it.

Here are some basic features of the product:

  • Easy-to-use interfaces for monitoring the deployment and expiration of your keys.
  • No complicated vendor HCL. If your server, array, application, or hypervisor speaks KMIP, it works!
  • Five secure replicas of your keystore.
  • Runs on Linux, Unix, or Windows.


Cloud Key Managers (CKM)

Meet IBM Guardium for Cloud Key Management (GCKM), a first-of-its-kind solution that provides multi-cloud key management. GCKM allows organizations to generate new keys, migrate existing keys, and manage the key lifecycle in both public and private clouds. It empowers organizations with the ability to delete keys from clouds at any time and render encrypted data useless – until GCKM restores those keys at the time YOU choose.

GCKM allows organizations to:

  • Integrate the key management services of multiple cloud service providers.
  • Orchestrate and manage keys across all clouds, public or private, from a single dashboard.
  • Generate, migrate, and control your keys in and out of the cloud.
  • Delete keys from clouds at any time, rendering any encrypted data useless until GCKM restores the keys to the cloud’s KMS.


Need Help Finding the Encryption Key Management Solution That’s Right for You?

Everyone’s situation is different. Mainline’s team of seasoned pros is experienced in recommending and implementing responsible network and data security strategies for our clients. Let us help you sort out the issues and get you on a path toward a safer environment. Contact your Mainline Account Executive directly or contact us about your data encryption needs.


Related Articles:

Article: Mainline recognized by CIO Review as Top 20 Enterprise Risk Management Solution Companies

Get a Security Assessment from Mainline

Learn about Mainline End-to-End Data Protection

Submit a Comment

Your email address will not be published. Required fields are marked *