Key Management: Today's Challenge

While cryptography is at the root of many different processes that can provide powerful security, without proper management these processes can become complex, costly, and risk-prone. Your ability to manage security operations built on cryptography—such as digital signing or data encryption—depends squarely on your ability to manage effectively the cryptographic keys that govern these processes. Key management challenges will only increase over time as cryptography is employed more broadly within an organization’s IT infrastructure, driving up the number and diversity of keys to be managed. Individuals responsible for implementing cryptographic security need to become familiar with different approaches to key management, key management best practices, and technology alternatives for implementing those practices. 

Key management is not just an operational challenge. As regulatory bodies become more aware of the importance of key management, the security and audit requirements specific to these processes are becoming more stringent. In addition, standards such as the OASIS Key Management Interoperability Protocol (KMIP) are maturing and will improve key management interoperability between different devices and systems. Given these trends, organizations need to consider, operational, security, and audit requirements when building a key management strategy.

Learn More

What Is Key Management?

The process of key management is the complete set of human and automated tasks necessary to create, maintain, protect, and control the use of cryptographic keys. Whether you are encrypting data for confidentiality, using digital certificates for authentication, or executing digital signing processes for document integrity, many key management challenges remain the same. Each key has a lifecycle—it is born, lives a useful life, and is retired. The length of a key’s lifecycle and what exactly happens between its birth and retirement can vary widely depending on the specific application. By managing keys effectively across their entire lifecycle, you can reduce risk, lower deployment costs, and preserve compliance with data protection regulations.

Approaches to Key Management

Depending on your goals, you may be concerned about key management for a single application or you may be looking to manage cryptographic keys more effectively across a set of business processes, either within an organizational unit or across the entire enterprise. 

Individual security applications have widely varying characteristics. Consider the differences between 1) encrypting data passing over a dedicated link between two data centers, 2) enabling trusted digital signing for a large contract, 3) ensuring secure transactions for online banking, 4) accepting credit card payments over a secure server for e-commerce, and 5) issuing a smart card for the Chief Security Officer. Though they have different data volumes, frequencies, potential attacks, and business risks, these processes all need effective key management in order to meet their security goals.

Organizations have multiple choices in how to manage keys. Three typical scenarios are:

  • Key management through software native tools. At the simplest level, you can utilize the basic key management capabilities native to the individual product or products being deployed. Many commercial encryption products, for example, contain software functionality to handle at least some phases of the key management lifecycle. The emphasis, policies, and general security properties of these key management utilities will vary enormously among products.
  • Key management using hardened devices. To better manage risk and ensure control of the entire key lifecycle, you can use purpose-built, hardened key management devices such as hardware security modules (HSMs) to augment commercial and custom applications. Dedicated cryptographic hardware enables you to create an isolated or “trusted” zone for cryptographic functions, thus overcoming the inherent weaknesses of software-based cryptography. Using an independent security platform for key management also creates a powerful separation between the tasks of managing the keys and managing the applications that use those keys. Separating duties to mitigate the threat of a single super-user is a key management best practice and is strongly recommended by security standards such as PCI DSS.
  • Centralized key management. In larger scale deployments, organizations managing keys across heterogeneous applications and systems can find themselves facing inconsistent policies, different levels of protection, and escalating costs. Implementing a centralized approach to key management offers a range of benefits, including unified policies, system-wide key revocation, automated key delivery, consolidated auditing, clear separation of duties, and a single key repository to protect and back up. By adopting a more strategic, top-down approach to key management, you can exercise a greater degree of control across the organization while improving operational efficiency. Organizations implementing centralized key management must carefully consider the security properties of a system that can become an attractive target for attackers. They also must maintain a high level of availability; resilience and fail-over mechanisms are needed to ensure that the central key management process does not become a single point of failure.

Hide Section

Risks

  • Keys can fall into the wrong hands, giving unauthorized persons or applications access to your sensitive or high-value information.
  • Data breaches can result in embarrassing disclosures, risk of customer identity theft, and perhaps fines or legal challenges.
  • Cryptographic keys can become lost or unrecoverable, rendering data unreadable. Depending on the specific nature of the data, key loss can result in major problems for the business in the form of interruptions to business operations, lost customers, or legal consequences.
  • Software-based key management processes offer only limited protection, leaving sensitive keys—and the data they protect—vulnerable to attack.
  • Proliferation of fragmented key management systems can increase the complexity and cost of security management, resulting in business processes that are difficult to manage and to scale.
  • Poorly documented key management activities can increase the burden of compliance reporting activities.

Key Management: Thales e-Security Solutions

Thales e-Security is dedicated to helping organizations achieve the highest levels of assurance by deploying effective key management across their entire range of cryptographic processes. With products and services from Thales, organizations can implement key management best practices that deliver high levels of assurance while also delivering operational efficiency to keep business processes manageable and scalable. Key management experts at Thales can help you design a key management approach and deploy the solution that best meets the needs of your applications and your organization—today and tomorrow.

  • nShield HSMs enable organizations to improve the security of encryption and digital signing processes by protecting keys and operations in tamper-resistant hardware. These HSMs feature the proven key management architecture, Thales Security World, for automating important key management tasks such as key backup and enforcing policies consistently across populations of HSMs.
  • keyAuthority is a hardened key management appliance designed to help organizations implement a centralized approach to key management for a range of devices and processes. The device features FIPS 140 certified tamper-resistant security coupled with replication for resilience and sophisticated role-based policy controls. KeyAuthority is designed to support the latest KMIP standard and offers a capacity of over 25 million keys.

Benefits:

  • Implement effective management of cryptographic keys using either dedicated hardware modules and/or centralized key management appliances.
  • Significantly enhance security compared with native, software-based key management.
  • Regain control over fragmented deployments of encryption or other cryptography-based applications.
  • Reduce the risk of lost keys, high management costs, and processes that don’t scale.
  • Comply with industry mandates and emerging key management standards without putting business continuity at risk.
  • Implement cryptographic key management best practices and position your organization to address future requirements.
  • Work with the experts—Thales e-Security is a leading global authority in cryptographic key management with experience that spans more than 30 years.