What is Encryption Key Management, and What Factors Should be Considered when Implementing a KMS Solution?
This article examines the challenges associated with encryption key management while demonstrating how our ARIA KMS solution can overcome them.
Data encryption is growing in adoption, but has proven to be ineffective
To provide effective data protection and application defense and remain in compliance, organizations today need to protect their most critical data as it is created, transmitted, and stored. This requires companies to successfully encrypt this data, a process that raises its own challenges related to encryption key management and effectively implementing a key management server (KMS) solution.
So how does data encryption work? Encryption is a well-known technique to protect data, and is a fairly straightforward concept to understand: Users want to make data or content unreadable, except to those who are allowed to see it. To do this, a key scrambles the text into unintelligible ciphertext, and when prompted, decrypts it, or translates it back, to the original format.
As data encryption technologies have continued to evolve over the years, adoption is growing faster than ever.
According to the “Develop an Enterprise Encryption Key Management Strategy, or Lose the Data” article by Gartner, most organizations planning data encryption deployments lack an encryption key management strategy, which increases the risk of data loss.
Security and risk management leaders must develop an enterprise-wide encryption key management strategy or face the consequence of potentially losing their data. However, by 2023, 40% of organizations will have a multi silo, hybrid, and multi cloud data encryption strategy, up from less than 5% today. Furthermore by 2024, 35% of organizations will leverage a crypto and key orchestration platform to handle a variety of information and crypto-management, up from 0% today.
All of this seems great, yet what is troubling is the fact that in a number of recent high-profile cyber attacks, the organization’s data actually was encrypted in some capacity, yet it was still compromised.
What are encryption key management and KMS implementation?
Key management servers (KMS) are used to administer the full lifecycle of cryptographic keys and protect them from loss or misuse. KMS solutions, and other key management technology, ultimately control the generation, usage, storage, archival, and deletion of encryption keys. Additionally, to fully protect their loss or misuse, companies must limit access to these keys, either by restricting physical access or controlling user access by creating clear and defined roles.
To think of it another way, here’s a quote about encryption key management from the NIST and its Recommendation for Key Management solutions technical report that puts KMS implementation in a slightly different context:
“The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are analogous to the combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms.”
What are the critical components performed by encryption key management servers?
To ensure that your online data remains protected, it’s critical to understand the different components of an encryption key management service, so that you know the right questions to ask when evaluating new and existing types of KMS technologies that can be implemented.
- Key storage: As a general principle, the person or company who stores your encrypted content should not also store the encryption keys for that content (unless you’re comfortable with them accessing your data).
- Policy management: While the primary role of encryption keys is to protect data, they can also deliver powerful capabilities to control encrypted information. Policy management is what allows an individual to add and adjust these capabilities. For example, by setting policies on encryption keys, a company can revoke, expire, or prevent the sharing of the encryption keys, and thus of the unencrypted data, too.
- Authentication: This is needed to verify that the person given a decryption key should be allowed to receive it. When encrypting digital content, there are several ways to achieve this.
- Authorization: Authorization is the step that verifies the actions that people can take on encrypted data once they’ve been authenticated. It’s the process that enforces encryption key policies and ensures that the encrypted content creator has control of the data that’s been shared.
- Key transmission: This is the final step in the overall encryption key management process and is related to how keys get transmitted to the people who need them, yet still restrict access to those who don’t.
Related Resource: Easily Encrypt your VMware Environment
Why is encryption key management so challenging?
Digital information must remain readily accessible to the many people with whom it is shared. In order for that to effectively occur, encryption keys must be easily and safely distributable at scale. In a traditional key management model, whenever a key expires, employees (usually IT) are responsible for manually updating them—as well as managing the organization’s entire set of keys.
What’s more, the number of methods that we use to communicate online is constantly growing. Even though we create encrypted files on one storage application, we might also need to share those same files on another platform, for example, in an email attachment or by using a different storage tool. Encryption keys don’t always work when applied to different platforms, which means we often must manage multiple key exchanges for the same piece of data.
These efforts are usually extremely time-consuming and take valuable time away from employees who could use it to focus on higher-value IT initiatives. Worse, a faulty key management practice can lead to the loss of keys, and may even result in a hacker obtaining them and using them to steal or manipulate data. .
Encryption key management misconceptions
Even beyond all of these challenges on how to implement KMS securely, there are also two common data encryption misconceptions:
- “If a vendor encrypts your data, they won’t be able to access it.” This is not true. Even if a third-party vendors like Amazon AWS or Microsoft Azure promise to make your data unreadable to unauthorized parties, most vendors still retain access to your unencrypted content.
- “If you encrypt, hackers cannot get access to your data.” Unfortunately, it’s virtually impossible to guarantee this, especially in today’s world.
Ineffective KMS implementation can lead to compliance issues
Additionally, inefficient encryption key management practices may even lead to new security vulnerabilities, such as updating system certificates or locating those systems that need to be updated. It also makes it extremely difficult to comply with industry regulations.
For example, the Payment Card Industry Data Security Standard (PCI DSS) requires that merchants protect sensitive cardholder information from loss and use good security practices to detect and protect against security breaches. PCI DSS has very specific guidance related to encryption keys and key management services.
For example, various subsections of PCI DSS call for organizations to maintain a “documented description of the cryptographic architecture” to protect data, and restrict “access to cryptographic keys to the fewest number of custodians possible.”
Keep in mind this is just one regulation. So many others, such as GDPR, HIPAA, and more all have specific requirements to make sure companies do all they can to protect data from theft, loss, or inappropriate access.
Yet too often, there is a lack of unified tools that can successfully overcome the issues related to management overhead and potential noncompliance.
Related Resource: Successfully Complying with Data Privacy Regulations (How-to Guide)
ARIA KMS fills the need
ARIA Cybersecurity Solutions’ ARIA Key Management Server (KMS) application delivers encryption key management functionality for the automatic generation and distribution of encryption keys. ARIA KMS provides an important advantage for those organizations that need to ensure the right encryption keys are in the right place at the right time all without impacting network or application performance. It is an easy-to-deploy application that takes advantage of the widely accepted key management interoperability protocol (KMIP) and public key crypto standard (PKCS 11) for integration with other existing applications.
Today more vendors are allowing users to use a Bring Your Own Key (BYOK)/Bring Your Own Encryption (BYOE) solution. This includes VMware (starting in vSphere 6.5) to encrypt the output of each virtual machine (VM), yet these users still need to provide their own KMIP-compliant KMS solution.
With ARIA microHSM - ARIA KMS deployed on the Myricom Secure Intelligent Adapter (SIA) - organizations gain additional security and performance since a local secure zone of trust required to generate and store keys and even execute crypto operations based on those stored keys. The ARIA KMS application shields the keys from exposure, even if the host server is breached. It is deployable into the devices they are protecting, such as storage arrays, for a zero-footprint implementation of a key management server solution.
Related Resource: A Modern HSM for Enterprise-wide Data Encryption in the Healthcare Industry
The ARIA SDS KMS application enables enterprise-wide encryption key management with the following capabilities:
- Complete integration with vSphere and other KMIP-based applications for fast, easy set-up and deployment.
- The ability to generate hundreds of unique keys per minute, enabling the encryption of all data and application transactions.
- Highly available, secure key storage in a virtual server, on premises or in the cloud.
- The ability to manage all policies across platforms through a single user interface.
- Zero-footprint deployment: the ARIA microHSM can be deployed directly or built into a vSAN configuration, eliminating the need for connectivity.
Interested in learning more about encryption key management and CSPi’s ARIA KMS solution? Watch our new ARIA KMS video now.
About ARIA Cybersecurity Solutions
ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our solutions provide new ways to monitor all internal network traffic, while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success.