Agencies view encryption as an essential tool to protect data as it’s transmitted across networks and at rest in storage.
But encrypting that data also forces agencies to maintain all the required keys to decrypt it. When a key is not protected, stored, backed up or properly organized, users may lose access to all or some of the data and systems the agency is trying to secure.
Without sound key management processes, encryption keys are more likely to be compromised by an attacker, providing unauthorized access to the related data and systems.
The National Institute of Standards and Technology spells it out in NIST Special Publication 800-57, Recommendation for Key Management, Part 1: “Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of the mechanisms and protocols associated with the keys, and the protection afforded the keys.”
Encryption key management involves several complex processes: selecting algorithms and key sizes, generating keys, rotating keys and more. Agencies should first focus on the fundamental practice of safeguarding the keys themselves when starting down the path to improving key management.
Here are more best practices to follow:
Restrict Access to Encryption Keys
Only users, administrators, devices or services with the need to know should have access to each key. With agencies using anywhere from hundreds to hundreds of thousands of keys, that can be tricky, especially because needs change over time. For example, when one user requires access to a particular encryption key for daily use but forgets the credentials for the key or unexpectedly leaves the agency, what happens? In that case, no one would be able to access the data and systems protected by that key. Giving more than one person the key solves the problem.
On the other hand, if more than one administrator has unlimited access to encryption keys, the risk of abuse rises. An unethical user could steal keys from storage and backup, then use those keys to obtain data and enter systems without authorization. Even worse, an attacker who compromises an administrator account might be able to access not one but many encryption keys, and use them to cause a major incident.
Agencies should carefully plan who should have access to each key, balancing the ability to recover from lost or inaccessible keys with the requirement to safeguard data and system confidentiality. In most cases, granting only one user access is an unnecessary risk. It’s usually preferable to give access to a small group of administrators.
Full auditing — sometimes automated, sometimes by people — of all access and use of encryption keys by the user group can reduce the risk of misuse. Requiring administrators to use strong multifactor authentication before they access a key should reduce it further.
Use Centralized Enterprise Key Management Services
Protecting encryption keys can be a complicated process, due to the conflict inherent in strictly controlling access to keys that need to be distributed throughout an enterprise immediately, and on demand. To make that process more efficient, agencies should strongly consider adopting centralized, in-house enterprise key management services. Services based on the Key Management Interoperability Protocol automate and secure nearly all key management functions, including storage, distribution and archiving.
Enterprise key management services hold most or all encryption keys centrally, separate from the data and systems they have encrypted. That makes it more difficult for a single compromise to breach the encryption; either the keys or the encrypted data could be accessed without authorization through one action, but not both. That can also improve performance because the encryption and decryption of data and systems happens locally, with the key management service securely distributing the necessary key to the appropriate location when needed.
Storing encryption keys centrally minimizes the number of places keys may be exposed to attackers. Where IT uses key management servers for key management purposes only, ensure that they’re strongly secured, well maintained and monitored to prevent intrusions.
Be Prepared to Handle Problems
Establishing robust encryption key management services and tightly restricting access is not enough.
A user could make a mundane mistake such as forgetting credentials for a key; or change job responsibilities; or discover something major, such as a flaw in a cryptographic algorithm or a compromise of a key management server that necessitates enterprisewide key rotation.
Agencies should proactively consider all those possibilities — and more — before trouble occurs, and develop and implement plans for handling such problems. Verify periodically that those procedures remain accurate and comprehensive, and revise them as needed. That can save time when problems arise, and prevent security incidents that might be caused by compromised encryption keys in the first place.