Five Top Tips for Secure Encryption Key Lifecycle Management
Encryption key management is critical for your security systems. It is vital for organisations using encryption keys to pay attention to how they are managed. This article contains insights into securely managing encryption keys.
A growing need for increased mobility and accessibility within and between governments, NGOs and critical infrastructure organisations has also brought new pressures to bear on data security. Government employees and leaders must be able to access and share sensitive information from any place, at any time, without compromising security.
One of the most important elements of any data security strategy is the secure encryption key. As with any other type of key, a secure encryption key locks and unlocks access to areas or content that need to be protected from unauthorised users. In this case, a key is a secret string of bits especially created to encrypt and decrypt data. An encryption key is for use with algorithms such as the Advanced Encryption Standard (AES) or RSA. Without the proper decryption key, data cannot be deciphered.
An encryption key is used to either encrypt or decrypt data or carry out both functions, based on the sort of encryption tool used. And depending on the method employed, keys can be different sizes or varieties, but the strength of the encryption relies on the security of the key being maintained.
The key’s security strength is dependent on its algorithm, the size of the key, the generation of the key, and the process of key exchange. But setting up encryption keys is far from a one-off process.
In fact, it’s vital for organisations using encryption keys to pay attention to how they are managed, writes the National Institute of Standards and Technology (NIST). “Keys are analogous to the combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms.”
There are many sources of guidance and knowledge about how to manage secure encryption keys, from high level principles to deeply technical how-to guides. Below we outline five tips for understanding some of the biggest issues to be aware of.
1
Be informed about the full lifecycle of encryption keys
Every encryption key has its own lifecycle, from being created through being registered, stored and used, to being rotated and finally retired. No organisation should take it for granted that all of these stages are happening successfully, or that they can take managed lifecycle processes for granted. While regulatory compliance requirements from bodies such as the PCI Security Standards Council outline the need to manage encryption keys, specific guidelines are not always given.
2
Understand the differences between symmetric and asymmetric keys
Broadly speaking, there are two types of encryption algorithms and, correspondingly, encryption keys: symmetric and asymmetric. A symmetric algorithm uses the same key for encrypting and decryption. AES is an example of such an algorithm.
Public asymmetric encryption systems use a different model for encryption and decryption that involves two keys. One is a public key, and the other is a private key. The public key can be freely shared among various users as it is only meant for encryption.
The private key is not shared, and is used to decrypt anything that was encrypted by the public key. In order to reverse the encryption process, only the private key of that particular key pair can be used.
In general, symmetric keys are faster to run because the keys used are much shorter than they are in asymmetric cryptography, and because the computations involved are more efficient.
Asymmetric cryptography is common in e-commerce and as part of the general web experience. Governmental infrastructure is often in an excellent position to profit from the advantages that symmetric keys provide, avoiding the complexity brought by asymmetric cryptography.
3
Establish a policy for how encryption keys are managed
As well as deciding which system to use to manage the symmetric and asymmetric keys used to protect data at rest or in motion, organisations need to establish a policy for how they are managed. This includes guidance on how each encryption key or group of keys needs to be managed according to an individual key usage policy, and how it is stored and backed up.
This defines which device, group of devices, or types of application can request security keys, and what operations that device or application can perform. An encryption key management policy can also include higher levels of authorization, for example when releasing a key after it has been requested, or to recover the key in the case of loss.
4
Verify the correct usage of keys
From all of the above, we can see that it is vital to know which keys are used and to have policies in place for managing them. It is equally important to know that the applications or equipment using those keys operate correctly, and to use solutions that allow the owner to verify that they are working as intended.
Such verification can be done to ensure that keys are correctly used before starting to use applications or equipment, but it can also be done throughout their lifetime. If, how, and when the correct implementation is verified is up to the owner’s discretion, but choosing the right solutions for verification is critical.
5
Remember the need for audit trails and recovery
The case for having a centralised, rather than a distributed, approach to security key management is underpinned by the need to prove how data has been protected when the worst happens and there is a breach. Law enforcement agencies as well as internal/external auditors need access to clear audit trails without having to consolidate data from siloed systems and multiple sources.
An audit trail should include the date when users have accessed sensitive data, who they are, which encryption resources were used to access the data, and how this met or failed to meet the organisation’s key usage policy.
The big message from all the above is that effective security key management doesn’t happen by chance. Encryption needs to be used for effective security, not just to tick a compliance checkbox, and this relies on solid key management. As NIST concludes, “the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with the keys, and the protection afforded to the keys.”
