Understanding Key Management Policy
Updated: Aug 31, 2020

With rising incidents of data breaches, organisations across the globe are realising that merely implementing perimeter defense systems no longer suffice to thwart cyber attacks.
While front line defense mechanisms like firewalls, anti-theft, anti-spyware, etc. definitely act as a strong deterrent against cyber attacks, they are rendered useless when a hacker gains inside entry by exploiting their vulnerabilities to bypass them.
Alarmed by a spike in data breaches, many regulations like the Payment Card Industry Data Security Standard (PCI DSS), UIDAI’s Aadhaar circulars, RBI’s Gopal Krishna Committee Report and the upcoming Personal Data Protection Bill in India now urge organisations to encrypt their customers’ personal data.
This has resulted in an increasing number of organisations adopting data encryption as their last line of defense in the eventuality of a cyber attack. Unfortunately, with cybercriminals getting smarter and more sophisticated with every passing day, merely encrypting data is no longer the proverbial silver bullet to prevent data breaches.
In this two-part blog series, we will deep dive into the concept of (encryption) key management and cover the pivotal role a well-defined Key Management Policy (KMP) plays in data protection.
Let’s first begin with the basics!
Types of Encryption (Crypto) Keys
Crypto keys can be broadly categorised in two types – ‘symmetric keys’ and ‘asymmetric keys’.
In symmetric key encryption, the cryptographic algorithm uses a single (i.e. same) key for both encryption and decryption. Contrastingly, in asymmetric key encryption, the algorithm uses two different (but related) keys for encryption and decryption. These keys are known as ‘public keys’ and ‘private keys’.
While the public key is used for data encryption, the private key is used for data decryption. Since any data encrypted with the public key cannot be decrypted without using the corresponding private key, ensuring optimal security of the private keys is crucial for foolproof data protection.
Key Management
Since crypto keys pass through multiple phases during their lifetime – like generation, registration, distribution, rotation, archival, backup, revocation and destruction, securely managing these keys at each phase is very important.
Effective key management means protecting the crypto keys from loss, corruption and unauthorised access.
Challenges to Key Management
As more and more organisations generate thousands of crypto keys today for a diverse and disparate set of encryption-dependent systems spread across multiple businesses and geographical locations, key management becomes a big challenge.
To ensure that crypto keys do not fall in the wrong hands, a common practice followed by many organisations is to store these keys separately in FIPS-certified Hardware Security Modules (HSMs) that are in-built with stringent access controls and robust audit trail mechanisms.
However, with organisations using a diverse set of HSM devices like Payment HSMs for processing financial transactions, General Purpose HSMs for common cryptographic operations, etc., key management woes intensify. Further, merely storing the keys separately in HSM devices is not sufficient, as apart from secure storage, efficient management of the crypto keys at every phase of their lifecycle is very important.
Some of the other key management challenges that organisations face include using the correct methodologies to update system certificates and keys before they expire and dealing with proprietary issues when keeping a track of crypto updates on legacy systems.
Hence, cybersecurity experts recommend that organisations centralise the management of their crypto keys, consolidate their disparate HSM systems and chalk out a comprehensive KMP that provides clear guidelines for effective key management.
Key Management Policy (KMP)
While most organisations have comprehensive Information Security and Cybersecurity policies, very few have a documented Key Management Policy.
A well-defined KMP firmly establishes a set of rules that cover the goals, responsibilities, and overall requirements for securing and managing crypto keys at an organisational level.
Designed to cohesively cover each stage of a key’s lifecycle, a robust KMP should protect the key’s:
1. Confidentiality 2. Integrity 3. Availability, and 4. Source Authentication.
The KMP should also cover all the cryptographic mechanisms and protocols that can be utilised by the organisation’s key management system.
Last, but not least, a good KMP should remain consistent and must align with the organisation’s other macro-level policies. For example, if an organisation’s information security policy mandates that electronically transmitted information should be securely stored for a period of 7-10 years, the KMP should be able to easily align to such a mandate.
To Sum It Up
Data encryption is no longer sufficient to prevent data breaches and merely storing the crypto keys separately no longer guarantees foolproof protection against sophisticated cyber attacks.
The need of the hour is to safeguard the keys at each phase of their lifecycle, manage them centrally and implement a robust KMP to ensure optimal data protection.
With data encryption, the risk is transferred from the data to the encryption keys and to ensure optimal data protection, organizations should make sure that their encryption keys are efficiently managed and safeguarded at each stage of their lifecycle.
In this part, we will cover the various benefits of centralizing your key management and guide you on how to adopt key management for your organization.
Centralized Key Management
When it comes to securely storing the encryption keys, three pertinent questions should be addressed:
1. Where are the keys stored – in third-party applications, in the cloud (private, public or hybrid?), in a heterogeneous environment that supports multiple databases?
2. Are the keys protected with strong access management mechanisms that prevent unauthorised access?
3. Is your approach to key security compliant with the statutory mandates of the regulatory bodies?
As more and more data gets encrypted, the dependence on encryption keys increases and safeguarding all the keys (throughout their entire lifecycle) becomes challenging. The task becomes more daunting in an environment where organizations use diverse vendor systems that generate their own keys.
Further, as encryption keys undergo a lot of changes throughout their lifecycle – like creation, key versioning, distribution, rotation, storage, archival, backup, and ultimately destruction, managing the keys at each juncture of their lifecycle becomes critical.
This is where centralized key management comes handy. With the inherent ability to safely store and manage all the encryption keys centrally in a secure and efficient manner, organizations can uniformly view, control, and administer the encryption keys for all their sensitive data – whether it resides in the cloud, in storage, in databases, or virtually anywhere else.
Leading Key Management Solutions (KMSs) can seamlessly manage keys across heterogeneous encryption platforms and offer extensive support for the Key Management Interoperability Protocol (KMIP) standard, as well as for proprietary interfaces, managing a disparate set of encryption keys becomes easier.
Apart from secure storage and management, another important aspect of centralized key management is key governance. Merely storing and managing the keys is not sufficient but ensuring foolproof access management is equally important. Centralized key management enables proper key governance – even when the data and people move from department to department within the organization.
Requisites for Effective Centralized Key Management
Now that we understand why organizations should adopt centralized key management to ensure optimal data protection, let’s look at the three important requisites for centralized key management to work smoothly:
1. Key Management Server
At the heart of any good Key Management Solution is a FIPS 140-2, Level 3-certified intrusion-resistant, tamper-proof hardware server (also known as a Hardware Security Module or HSM) that plays the important role of creating, storing, retrieving, rotating, archiving and deleting the encryption keys.
This server also facilitates seamless communication with all other applications (both internal as well as external) through native encryption using the Key Management Interoperability Protocol (KMIP).
Below are three important points that organizations should consider while selecting a key management server:
(1) Adherence to Regulatory Compliances
The server must comply with federal security requirements that mandate the destruction of all the stored encryption keys upon detection of a forced entry.
(2) Role Management
The server should have in-built role management features that provide separation of duties between various user roles with handy tools to quickly assign/delete roles. As more and more data gets encrypted leading to an increasing dependence on encryption keys, role management becomes a crucial feature for any organization.
(3) Interoperability
The server should be able to coherently interoperate with other business applications by providing access to its user interface through APIs, web services and encryption connectors.
As a best practice, organizations should:
(a) Store all encryption keys (and not just the Root of Trust Master Key) in the hardware server.
(b) Ensure that the autorotation and versioning of keys take place as per a pre-defined schedule without any downtime during the key rotation process, and
(c) Ensure that the whitelisting of the IP address happens within the secure hardware server itself.
2. Key Management Policies
As seen in our previous post, a key management policy (KMP) is a pre-defined set of rules that cover the goals, responsibilities, and overall requirements for securing and managing an organization’s encryption keys.
While a key management server can centrally manage all the encryption keys and enforce set policies, it cannot create a KMP on its own. The onus of chalking out a comprehensive KMP lies with the organization’s Cybersecurity & IT Heads, like the Chief Information Security Officer (CISO), Chief Risk Officer (CRO), etc. who are responsible for ensuring the adoption of KMPs for data protection. ‘Unambiguity’ is one of the most important pillars of a good KMP that makes sure that there are no misinterpretations whatsoever while accessing the encryption keys. For example, a KMP can unequivocally state that the employees of one business unit or department cannot access the encryption keys of another unit, or that access to the keys can be granted only through the corporate LAN.
3. Key Management Processes
Key management processes are a host of diverse processes like inputs, activities, and outputs that are pivotal to centralized key management.
These processes help users in using their organization’s KMP and can be automated or implemented manually. For example, depending on the sensitivity of the data to be accessed, the Key Management Process may instruct users to either connect through a VPN or through the corporate LAN.
Read more of our Blogs at http://www.woodsllp.com
Licensed from the ThalesGroup