Blog

Understanding Key Management Policy – Part 1

While front line defense mechanisms like firewalls, anti-theft, anti-spyware, etc. definitely act as a strong deterrent against cyber attacks, they are rendered useless when a hacker gains inside entry by exploiting their vulnerabilities to bypass them.

Gemalto Mar 19th 2019 A-A+

With rising incidents of data breaches, organisations across the globe are realising that merely implementing perimeter defense systems no longer suffice to thwart cyber attacks. 

While front line defense mechanisms like firewalls, anti-theft, anti-spyware, etc. definitely act as a strong deterrent against cyber attacks, they are rendered useless when a hacker gains inside entry by exploiting their vulnerabilities to bypass them.

Alarmed by a spike in data breaches, many regulations like the Payment Card Industry Data Security Standard (PCI DSS), UIDAI’s Aadhaar circulars, RBI’s Gopal Krishna Committee Report and the upcoming Personal Data Protection Bill in India now urge organisations to encrypt their customers’ personal data. 
This has resulted in an increasing number of organisations adopting data encryption as their last line of defense in the eventuality of a cyber attack. Unfortunately, with cybercriminals getting smarter and more sophisticated with every passing day, merely encrypting data is no longer the proverbial silver bullet to prevent data breaches. 

In this two-part blog series, we will deep dive into the concept of (encryption) key management and cover the pivotal role a well-defined Key Management Policy (KMP) plays in data protection.

Let’s first begin with the basics!

Types of Encryption (Crypto) Keys 

Crypto keys can be broadly categorised in two types – ‘symmetric keys’ and ‘asymmetric keys’. 

In symmetric key encryption, the cryptographic algorithm uses a single (i.e. same) key for both encryption and decryption. Contrastingly, in asymmetric key encryption, the algorithm uses two different (but related) keys for encryption and decryption. These keys are known as ‘public keys’ and ‘private keys’. 

While the public key is used for data encryption, the private key is used for data decryption. Since any data encrypted with the public key cannot be decrypted without using the corresponding private key, ensuring optimal security of the private keys is crucial for foolproof data protection.
 
Key Management 

Since crypto keys pass through multiple phases during their lifetime – like generation, registration, distribution, rotation, archival, backup, revocation and destruction, securely managing these keys at each phase is very important. 
 
Effective key management means protecting the crypto keys from loss, corruption and unauthorised access. 

Challenges to Key Management

As more and more organisations generate thousands of crypto keys today for a diverse and disparate set of encryption-dependent systems spread across multiple businesses and geographical locations, key management becomes a big challenge. 

To ensure that crypto keys do not fall in the wrong hands, a common practice followed by many organisations is to store these keys separately in FIPS-certified Hardware Security Modules (HSMs) that are in-built with stringent access controls and robust audit trail mechanisms. 

However, with organisations using a diverse set of HSM devices like Payment HSMs for processing financial transactions, General Purpose HSMs for common cryptographic operations, etc., key management woes intensify. Further, merely storing the keys separately in HSM devices is not sufficient, as apart from secure storage, efficient management of the crypto keys at every phase of their lifecycle is very important. 

Some of the other key management challenges that organisations face include using the correct methodologies to update system certificates and keys before they expire and dealing with proprietary issues when keeping a track of crypto updates on legacy systems.

Hence, cybersecurity experts recommend that organisations centralise the management of their crypto keys, consolidate their disparate HSM systems and chalk out a comprehensive KMP that provides clear guidelines for effective key management.

Key Management Policy (KMP) 

While most organisations have comprehensive Information Security and Cybersecurity policies, very few have a documented Key Management Policy. 

A well-defined KMP firmly establishes a set of rules that cover the goals, responsibilities, and overall requirements for securing and managing crypto keys at an organisational level. 

Designed to cohesively cover each stage of a key’s lifecycle, a robust KMP should protect the key’s: 

  1. Confidentiality
  2. Integrity
  3. Availability, and
  4. Source Authentication

The KMP should also cover all the cryptographic mechanisms and protocols that can be utilised by the organisation’s key management system. 

Last, but not least, a good KMP should remain consistent and must align with the organisation’s other macro-level policies. For example, if an organisation’s information security policy mandates that electronically transmitted information should be securely stored for a period of 7-10 years, the KMP should be able to easily align to such a mandate.

To Sum It Up

Data encryption is no longer sufficient to prevent data breaches and merely storing the crypto keys separately no longer guarantees foolproof protection against sophisticated cyber attacks.

The need of the hour is to safeguard the keys at each phase of their lifecycle, manage them centrally and implement a robust KMP to ensure optimal data protection.

In the next part, we will discuss how organisations can leverage Key Management Interoperability Protocol (KMIP) to manage their encryption keys and how Gemalto’s Key Management Platform can help them streamline their key management centrally.