Risks and rewards in automated encryption key lifecycle management

Encryption keys are part of the cryptographic mechanisms that are used by organisations to protect the integrity and confidentiality of data. This includes data that is vulnerable to unauthorised disclosure or undetected modification during transmission or while in storage; that is very sensitive; and that is of high value.

The introduction of asymmetric or symmetric encryption keys to protect data is not a one-off exercise, but the beginning of a managed process called encryption key lifecycle management. Three critical phases within the process are generation, rotation and retirement.

Considering the importance and complexity of this lifecycle, how much of it can (and should) be automated, and what role should administrators play in ensuring best practice is always followed?
The first point to make is that there are significant risks associated with failing to manage encryption keys properly, including enabling attackers to read encrypted emails, messages and other forms of communication, and to extract/tamper with sensitive, and in some cases classified, stored data.

Generating encryption keys

The UK’s Information Commissioners Office (ICO) recommends that it is important to consider four things when implementing encryption: choose the right algorithm, choose the right key size, choose the right implementation/method, and keep the key secure. It says that vulnerabilities may develop in encryption algorithms over time that can eventually make them insecure, which means organisations should regularly assess whether their encryption method and the length of the key remain appropriate.

Keys are often created using the output of a random bit generator (RBG). The US National Institute of Standards and Technology (NIST) explains that: “A well-designed RBG supports a given security strength if the amount of entropy (i.e., randomness) available in the RBG is equal to or greater than that security strength. The security strength supported depends on the secrecy of the information designated as the entropy bits and, when used for the generation of keys and other secret values, on the secrecy of the RBG output.”

Key rotation

Given all of the complexities involved in managing encryption keys throughout their lifecycle, as well as the fact that large organisations may be dealing with hundreds or even thousands of keys at any given time, government bodies are well-advised to automate the process.

Keys may be managed manually, says NIST, but in many cases, an automated system is required to oversee, automate, and secure the key management process. An automated system that performs key management is commonly known as a (cryptographic) key management system (KMS). A KMS is a system for the management of cryptographic keys and their metadata, including generation, distribution, storage, backup, archive, recovery, use, revocation, and destruction. An automated KMS may be used to oversee, automate, and secure the key management process.

From a risk management point of view, a KMS carries out automated checks on processes such as whether keys have been compromised, or need to be rotated or retired. It can issue alerts when the IT team needs to take action, and provides both confidentiality and integrity protection for government and public sector data. As the UK’s National Cyber Security Centre (NCSC) writes: “Good data encryption is undermined by poor key management, so when you rely on encryption to protect your data, you need to ensure your key management is strong.”

While there are many and varied rewards that can be derived from automating encryption key management, organisations should also be aware of the risks involved in failing to implement an effective KMS. These can be caused by taking control for setting passwords or generating keys away from the IT team and giving it to end-users, leading to poor governance; or misconfigured encryption algorithms that fail to store encryption keys securely, risking data loss.

As with any area of data protection, effective encryption key lifecycle management depends on the combination of smart technology and the skills and experience of IT professionals to ensure organisations are fully protected. Having one without the other is no longer tenable, especially in an era of such high dependencies on fast-moving and fast-growing data flows.

Asperiq offers state-of-the-art quantum secure encryption technology to defence and government organisations.
Contact us on contact@asperiq.com to find out more about customer independent control of encryption algorithms, key management, high assurance and other expert topics.