Enterprise key management is a term associated with a broad context encompassing technological solutions, people, well-defined processes, regulatory & policy requirements, standards, and risk assessment. It is about managing encryption keys in a professional way ensuring the security of the keys.
“Encryption is a process that uses algorithms to encode data as ciphertext. This ciphertext can only be made meaningful again, if the person or application accessing the data has the data encryption keys necessary to decode the ciphertext. So, if the data is stolen or accidentally shared, it is protected because it is indecipherable, thanks to data encryption.” Thales: https://cpl.thalesgroup.com/faq/key-secrets-management/what-encryption-key-management
“The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are analogous to the combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with the keys, and the protection afforded to the keys. All keys need to be protected against modification, and secret and private keys need to be protected against unauthorized disclosure. Key management provides the foundation for the secure generation, storage, distribution, use and destruction of keys.” (NIST Special Publication 800-57 Part 1 Revision 4)
Objectives of Enterprise Key Management encompass:
- Securing keys throughout theirlifecycle
- Secure key storage
- Key usage authorization
Key life cycle operations:
Key management operations include creation, maintaining, protecting, and controlling the use of cryptographic keys and typically encryption key lifecycle likely includes the following phases:
- Key generation
- Key registration
- Key storage
- Key distribution and installation
- Key use
- Key rotation
- Key backup
- Key recovery
- Key revocation
- Key suspension
- Key destruction
“Defining and enforcing encryption key management policies affects every stage of the key management life cycle. Each encryption key or group of keys needs to be governed by an individual key usage policy defining which device, group of devices, or types of application can request it, and what operations that device or application can perform — for example, encrypt, decrypt, or sign. In addition, encryption key management policy may dictate additional requirements for higher levels of authorization in the key management process to release a key after it has been requested or to recover the key in case of loss.” https://cpl.thalesgroup.com/faq/key-secrets-management/what-encryption-key-management-lifecycle
Best practices for managing keys include:
- Using certified on-premise hardware security modules (HSMs) for key life cycle operations and key storage
- Using certified cloud HSM capacity for key life cycle operations and key storage
Using HSMs to protect sensitive data combined with the professional and standardized key management processes form the root of trust. Only this combination can really form the root of trust.
The trend in cloud computing is more and more to store data and encryption keys separately instead of just relying on cloud service’s native encryption.
“Enterprise adoption of multiple cloud platforms continues in earnest whether it’s aimed at improving collaboration, reducing datacenter footprint, increasing customer response times or any number of other business goals. As organizations advance their multi-cloud strategies, they are tasked with applying consistent security configurations across workloads and applications. They must also implement data protection that addresses today’s threat vectors and aligns with stringent compliance and audit requirements.
Encrypting cloud data is essential to protecting sensitive information and workloads – but it needs to be done correctly in order to be effective and meet compliance mandates. Forrester’s recent research articulates a number of important best practices, notably:
- Use hardware security modules (HSMs) to store encryption keys separately fromcloud workloads
- Use a centralized HSM infrastructure to manage the encryption keys used acrosscloud environments
- Rotate keys regularly to ensure alignment with compliance requirements andauditor expectations
These security measures are critical to protecting your cloud data and workloads, and it’s vital to get them right from the outset.” (Forrester report 11th of Nov. 2020. Best practices: Cloud data encryption.)