Encryption Key Management


Encryption Key Management

Encryption key management is vital to securing enterprise data storage



Encryption key management challenges

Managing encryption keys effectively is vital. Unless the creation, secure storage, handling and deletion of encryption keys is carefully monitored, unauthorised parties can gain access to them and render them worthless. And if a key is lost, the data it protects becomes impossible to retrieve.

Business data is growing at exponential rates, and along with that growth comes a demand for securing that data. Enterprises have responded by implementing encryption at various layers - in the hardware, on the network and in applications. This response has resulted in a series of encryption silos - some of them holding confidential customer data - with inconsistent approaches to managing security, keys and domains.

Different applications across the enterprise often employ different methods of encryption. Some departments don’t encrypt data while the data is at rest (such as when it is stored on a device or in a database) but only when the data is in motion, using techniques such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) or virtual private networks (VPNs) to secure the data pipeline. Other departments may encrypt particular data fields such as credit card numbers but leave other data in the clear. Finally, some departments may use different encryption systems to protect data components in order to comply with specific data-privacy requirements.

Key management for these encryption approaches is often similarly fragmented. Sometimes key management is carried out by department teams using manual processes or embedded encryption tools. In some cases, there is no formal key-management process in place. This fragmented approach to key management can expose your sensitive data to loss or theft.

Many enterprises are adopting a policy of encrypting all data at rest to help ensure a consistent layer of protection against loss. As a result, they also want to centralise their key management to achieve a consistent, simple approach to implementing and managing encryption everywhere.

Embedded encryption keys can be found everywhere. The following list shows typical use-cases where embedded encryption keys are found:
  • Billing systems that use encryption keys to encrypt credit card data in databases.
  • Homegrown systems with no methodological key-management component.
  • SSH keys that are used for secure encrypted communication between clients and servers.
  • Distributed or point-of-sale applications and kiosks, on which encryption keys are used to secure communications to the computing centre.


> Deploy a simple solution to a complex problem

> Centralise, simplify and automate encryption key management






Solution Features & Benefits

Manage Everything Encryption Related
  • Key management
  • Key generation
  • Key import and export
  • Key rotation
  • Key destruction



> Devices

> Full disk and containerised encryption

> Self-encrypting drives

> Tape archives

> Storage Area Networks

> Virtual workloads (virtual machine instances and storage volumes)

> Backup and storage media

> Cloud (Office 365, Amazon AWS)

> SSH keys
> BitLocker Management

> Enables the protection of your data at rest and in transit across a range of: -applications (SharePoint, email, thumb drives, optical disk or direct download)

> Mobile Device Management (MDM) Android and iOS

> Databases (Column-level database encryption across multi-vendor database management systems. Oracle and Microsoft SQL)

> File-Level Encryption
Protects unstructured data in file servers and network shares) - network shares, file servers, web servers, application servers, database servers, or other machines.




> Centralised Key Storage and Lifecycle Management

The ability to offer centralised key management for all devices enables systems to access data no matter where it resides (file share, the cloud etc.)

Also leverages various directory services and allows for enterprise control of document access, even while users are mobile. In the event that portable devices are lost or stolen, a remote “Kill Pill” functionality that removes access or ultimately removes the documents. 


> Group Policy Management

Allows multiple administrators with different roles and permissions to be defined. Also, by default, the groups of devices have access only to encryption keys defined within their group. These role-based access control features enable separation of duties, mapping of permissions for actions performed against objects, and enforcement of data isolation and security in a multi-tenancy environment.


> Auditing and Logging

Centralised management includes detailed logging and audit tracking of all key state changes, administrator access and policy changes. Audit trails are securely stored and signed for non-repudiation and can be consumed by leading 3rd party SIEM tools.


> Deployment Options

- On-premise appliance
- Public Cloud (Amazon AWS)


> Meet regulations and standards such as the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA).

> Requirement 2.1 for www.owasp.org to secure cryptographic storage Management

> Hardware security module (HSM) to store the master key that is used to protect all keys stored in the keystore.

> FIPS 140-2 Level 2 and FIPS 140-2 Level 3 validation.

> Only authorised access to data in multi-tenanted infrastructures

> Third-party Key Management Interoperability Protocol (KMIP)-enabled systems





Also see

- Enterprise storage encryption

- Data encryption

- Self-encrypting drives
 
- Tokenization
(Tokenisation replaces sensitive data (credit cards, social security numbers, etc.) with a surrogate value - a token). 



Contact us today to discuss your requirements in more detail.

P: +44(0)7714 209927

S: +44(0)1273 329753

info@securenetconsulting.co.uk