Best Practice for Lifecycle Crypto Key Management

Organizations that use encryption to protect confidential information can choose hardware and software-based solutions based on the nature of the data that needs to be encrypted. Arguably the weakest link in the chain is the encryption key used to encrypt and decrypt data. This is due to the increasing processing power of today’s computers and the amount of time it takes to compromise a key through an exhaustive key lookup. Therefore, these organizations should periodically revoke, update, and distribute these keys to relevant parties to reduce the risk of internal and external threats.

Many sectors, including banks and governments, perform the time-consuming task of tracking and managing an ever-growing number of keys to ensure they are in the right place at the right time. An army of administrators is created when a large number of keys required for the day-to-day operation of cryptographic applications are manually managed. Therefore, an automated key management system is now a must for these organizations if they want to understand their workloads and reduce management costs.

Key management will come in many variations, with more suitable for enterprise environments and more scalable designed for large numbers of keys such as those used in the banking industry. Although different solutions are required depending on the requirements, there are some common issues that must be addressed for a successful system implementation in terms of functionality, compliance, availability, and cost minimization. Here is a brief list of best practice procedures:

• Distributed encryption and decryption

• Centralized lifecycle key management

• Automatic key distribution and update

• Future proof – Supports multiple standards. PCI DSS, Sarbanes-Oxley, and FIPS 140-2

• Supports all major hardware and software security modules to avoid vendor relationships

• Flexible key properties for document removal

• Comprehensive searchable anti-corruption audit log

• Transparent and efficient process

• Minimize development time when integrating new applications based on open standards

A system that incorporates these factors eliminates many of the risks associated with human error and intentional attacks on confidential data through key management. It also allows the flexibility to provide security to applications that might be considered too expensive for encryption.

Regardless of which industry or solution an organization might choose from, the list above should at least be the cornerstone of any key management system. This not only enables a high level of security, but also improves processes and saves long and short term.