register now | login     Search   
Newsletter Signup
Ask a Question

Ask us a question.




Access Resource Library
Email a Colleague

Email this page to a colleague.

Key Management

Encryption technology has been around for years, but compliance and best practice for data protection are fueling a significant increase in its adoption.  Encryption is fast becoming a commodity - embedded as a native feature in applications and databases, and devices such as laptops and disk and tape drives.   As a result, organizations are looking for an effective and scalable approach to protecting and managing the underlying cryptographic keys. 

What is key management?

It's useful to distinguish between the usage of keys and the management of keys. Key usage refers to the mature and often standardized mathematical processes that perform encryption, create digital signatures or authenticate digital certificates.  These are the basic functions that are freely available and frequently an embedded capability.

Key management, on the other hand, is concerned with generating, managing, distributing, archiving and recovering keys. These processes tend to be manual and application or organization specific.  Most importantly, key management typically embodies and enforces the policies that govern who can access keys and under what circumstances, which in the end is what CIOs and auditors care about. All products or processes that use keys wil incorporate some elements of key management, but at best are very limited scope and at worst are an after thought.

Disparate approaches create inconsistency and increase costs

Encryption or any other form of cryptography without good key management creates a false sense of security and a patchwork of disparate key management systems supporting different deployments.  This results in inconsistencies, weak links and points of attack.  Further, as the number of applications using cryptography and the number of keys under management increases, both of which are inevitable in most organizations, the need to employ a consistent and wide ranging approach to key management becomes a necessity.

In small scale deployments it may be practical to utiize manual key management processes, otherwise some form of automated system will be required.  In either case the fact that the objects being managed, cryptographic keys, are secrets and must remain confidential presents unique security and organizational challenges.  The need for security and desire for convenience and ease of use are often in conflict and in the area of key management this balance is particularly acute.

Localized key management

Historically, organizations have focused on managing the keys that represent the greatest risk or that are subject to external scrutiny and auditing.  These high-value keys are protected in devices know as hardware (and sometimes host) security modules. Most of these HSMs employ sophisticated key management techniques to endforce security policies while providing operational capabilities such as replication, recovery and revocation.  However this approach can often result in all other keys, i.e, those not deemed worthy of protection by an HSM,only being managed on an ad-hoc basis or effectively being left unmanaged.

Centralized key management

To overcome this inconsistency many organizations are adopting a top down, or enterprise-wide, approach to key management that introduces a centralized function that abstracts the key management functions from the applications and the locations where keys are used. This approach delivers a number of benefits:

  • Automation reduces cost - A centralized approach enables the automation of otherwise manual key management tasks and can scale as the number of keys, applications and users grow.
  • Security - By gathering all keys into a single system the challenge of proving adequate levels of security to protect confidentiality and usage of keys is greatly simplified - and from a compliance perspective, is more easily demonstrated.
  • Availability - The use of a single system to manage and archive keys simplifies back-up and recovery methods to ensure that keys are never lost and therefore that encrypted data can always be decrypted - a fundamental concern of anyone deploying encryption.
  • Key mobility - It is very often the case that data is decrypted in a different system or location than where it was intially encrypted.  The use of encryption for back-up tapes is a good example of this.  In these cases, key mobility and secure key distribution within a common key management infrastructure are powerful capabilties.
  • Separation of duties - Encryption keys are often, by default, managed locally where the encryption itself is performed.  This approach can easily result in the creation of "super-users" that both hold and use the keys to the kingdom - without supervision and with auditing tools that can be subverted.  A centralized approach to key management provices a natural separation of duties between those that manage and those that use keys, improving organizational governance.

Key Management Concerns - a Checklist

Any key management solution must offer:

  • Security - Any system that manages keys represesnts an obvious point of attack and should embody security properties that are consistent with the most valuable keys under management. In most cases this will require the key management system to be strengthened by the use of dedicated cryptographic hardware such as HSMs. 
  • Reliability - From an operational perspective it's imperative that the keys will be available when needed. Key management lifecycles will typically extend to match the longest document archival requirements. 
  • Scale – As the number of applications and end-points that utilize cryptography increases it will be imperative that a key management system can scale to support potentially many  thousands or even millions of geographically dispersed end-points and keys.
  • Automation – With increasing scale and as concerns over staff training and potential human error emerge, automation becomes a critical capability of any key management system - delivering a real return on investment.
  • Flexibility –  By seeking to unify key management tasks it is important that a key management system can support the logical domains and authorities that exist within the enterprise and that these can be changed as organization structures evolve and new deployments of encryption or other forms of cryptography can be accommodated.  
  • Auditability - The power of encryption is only as good as the controls over the keys.  The ability to strongly audit the management tasks associated with keys andd the distribution of keys quickly becomes central to any claims of adherence or compliance to data protection and other security related standards.

 The nCipher keyAuthority enterprise key management system

keyAuthority offers centralized cryptographic key management, and automated distribution of keys for security applications across many network end-points.  By simplifying and centralizing the supervision of keys, keyAuthority helps you to reduce operational costs, better enforce security policies and comply with privacy regulations. Read more here.

keyAuthority
keyAuthority
Provisioning system providing centralized cryptographic key management and automated key distribution to security applications deployed across large numbers of network-attached end-points across the enterprise. more

Back to Products
Search |  Sitemap |  Privacy Policy |  Legal |  Investor Relations |  News & Events |  Contact
©1996-2008 nCipher Corporation Ltd. All rights reserved

nCipher protects critical enterprise data for many of the world's most security-conscious organizations
by being an industry leader in cryptography and data security, data encryption, enterprise pki,
digital signature software, timestamp, and other data protection solutions.