Data protection leads companies to implement various encryption solutions. In this sense, one aspect that cannot be overlooked is the need for proper key management.
This is mainly due to the widespread use of encryption as a result of governance and compliance requirements. This shows that we have made progress in terms of data protection, but exposes the major challenge of key management.
After all, it’s common to manage keys in Excel spreadsheets, which can bring a great risk to organizations, since losing control or even losing cryptographic keys can cause the company to lose its data.
Key Challenges of Proper Key Management
Management is vital for the effective use of encryption. The loss or corruption of keys can lead to loss of access to systems and render them completely unusable.
Proper key management is a challenge that increases with the size and complexity of your environment. The larger your user base, the more difficult it will be to manage efficiently.
Some of the biggest challenges involve:
User training and acceptance
Users don’t like change. Although not really part of the key management process, failure to accept them can be a major impediment to the success of a project.
Therefore, it is necessary to map the impact of adopting and using cryptography in your production cycle and the difficulties in recovering or resetting keys or passwords.
Listen to user feedback and develop appropriate training to address their specific concerns or difficulties. Develop system benchmarks to check performance before and after the product is implemented.
In other words, manage user expectations.
System administration, key maintenance and recovery
These problems can have a major impact on the organization and should be addressed with the supplier before they are purchased. On an enterprise scale, manual key management simply isn’t feasible.
Ideally, management should integrate with the existing infrastructure, while providing easy administration, delivery and recovery of secure keys.
Recovery is a fundamental process, especially in situations such as an employee leaving the organization without a proper return or when a key is damaged and can no longer be used. It should also be a simple but very safe process.
|
|
In proper key management, the generation procedure should be restricted to one person. In practice, we have, for example, a product process that allows a recovery key to be split into several parts.
From there, the individual parts of the recovery key can be distributed to different security agents. Owners must be present when it is used. This process is simple, but secure, because it requires several parties to recreate the key.
What’s more, forgotten passwords can have an additional impact on the support team. The process must therefore not only be simple, but also flexible. Remote and off-network employees need to be considered as well as internal ones. In this case, remote key recovery is an indispensable feature.
Best practices for proper key management
When dealing with key management problems, who can organizations turn to for help?
The specifics of proper key management are largely dealt with by cryptographic software, where standards and best practices are well established.
In addition, like the National Institute of Standards and Technology (NIST) and the Brazilian Public Key Infrastructure (ICP-Brasil), standards are developed for government agencies that can be applied in any business community. This is usually a good starting point when discussing encryption products with your suppliers.
In the meantime, here are some industry best practices to get you started:
- The usability and scalability of proper corporate key management should be the main focus of product analysis. The ability to leverage existing assets must play an important role in decision-making. Integration with an authentication environment will reduce costs and eliminate the need for redundant systems;
- Two-factor authentication is a necessary security measure for financial organizations. Due to the increased processing power and capabilities of today’s computers, the strength of passwords alone is no longer enough.
Control and training
Management means protecting encryption keys from loss, corruption and unauthorized access. Therefore, at the end of the procedures and techniques applied to the management process, it is necessary to guarantee:
- That the keys are kept securely;
- That they undergo regular change procedures;
- That management includes who the keys are assigned to.
Once the existing keys have been controlled, the policies and processes for provisioning, monitoring, auditing and termination need to be rigorously applied. For this reason, the use of automated tools can greatly ease the burden of responsibility.
Finally, information security professionals, infrastructure professionals, database professionals, developers and other professionals who need to use encryption keys should be trained, as a lack of awareness of the risks of protection failures is one of the main factors in problems.
If there is no control over access, there will be no security.
For more tips on proper key management and other more strategic topics for information security and data protection, subscribe to our newsletter and stay up to date!
About Eval
EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.
With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.
Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.
Eval, safety is value.
