Understanding key management and its importance to your overall security posture is fundamental to establishing the best cryptographic infrastructure for your enterprise. Keys and certificates are used for many different tasks and are vital to your organization’s data security. Your hardware security module (HSM) is like the engine of a car – it’s designed for high-performance cryptographic operations. Key management is like the rest of the car – it’s a combination of the people who operate it, the processes that drive it, and the technology that powers it.

I recently participated in Encryption Consulting’s 2022 Virtual Conference, where I talked about encryption, key management, and how to assess your organization’s key management maturity level. In this article, I’d like to recap some of the latest trends, technologies, and best practices to provide actionable intelligence about key management that you can apply to your organization.

The first step is to assess your organization’s key management maturity level. Then, design a key management-friendly ecosystem and consider factors that may be important for application developers. We’ve developed a key management maturity matrix at Futurex that is extremely useful in this regard, helping organizations self-identify where they rank. The maturity matrix can also help solutions providers determine how to position their technology for better use.

The key management maturity matrix asks organizations to consider these questions:

  • How are keys stored?
  • Where are keys indexed?
  • How is the lifecycle maintained?
  • How are audits performed on key material?
  • What is your ability to enact crypto-agility concepts?
  • How is policy enforced on key material?

Sometimes organizations find that their key management strategy looks like a mess. Still, it’s a good practice to identify exactly where your organization is ranked on the matrix and to work hard to improve that position. That said, the “fully mature, top-right hand of the chart” model isn’t necessarily the best for everyone.

Key Management Maturity Matrix Levels

  • No Key Management Model

    This model is typically used after an application is already developed, when someone realizes that cryptographic operations requiring key material are necessary. Often, these keys are stored on developer workstations, or worse, in the software code. The “no key management” model is a terrible one, and introduces considerable risk to an enterprise. This model is also not ideal because the likelihood that anyone will use your products is near zero. What we’ve found is that lack of awareness is the primary reason that some organizations are in this model. Typically, an organization at this level of key management maturity has an IT team that lacks a fundamental awareness that there is a problem at all. Education is very important at this level.

  • Application-specific Key Management Model

    Applications either develop tools or implement application-specific third-party tools. At this level of key management maturity, HSMs may be used to secure key material, but keys may be software-based. As this is enforced by the application, users are dependent on the application capabilities.

  • Semi-Centrally Managed Key Management Model

    In this semi-centrally managed key management model, an organization has typically deployed a system that is capable of centrally managing keys. However, one or two problems may occur. On one hand, the tool that they’ve deployed might not be extensive from a capability standpoint and the enterprise is limited on what applications can interface with it. On the other hand, an organization might have deployed a mature system with a large offering from a compatibility standpoint, but they are still in the process of migrating applications to it.

    It’s at either stage where we see a “valley of despair” effect. Sometimes there’s a real disparity between the architects who design the system and the rest of the organization. You can have all the technology in the world, but if it’s too complex to implement and requires your CFO to write a check with six zeroes on the end to actually see its full benefit, there’s a good chance it will go nowhere.

    At Futurex, it’s our job as security architects and technology executives to make sure we take this into account. It’s not enough to say, “Here, I’ve built a Ferrari engine, now you figure out how to build the car around it.”

  • Hardware-Backed, Centrally Managed Key Management Model

    At this level of hardware-backed, centrally-managed key management model, an organization has implemented a robust, service-oriented architecture for its cryptographic infrastructure.

Where is your organization in the Key Management Maturity Matrix?

There are several factors that drive an enterprise’s key management maturity level:

  • The organization culture from the top down when it comes to application security and cryptography.
  • Regulatory and audit requirements.
  • Applications needs

Application needs and requirements typically are the primary driver as application developers require cryptographic keys.  Developers and project owners who are aware of common cryptographic attacks and key management principals will commonly go to the security team to discuss organizational policies for managing keys.  As these requests increase, a need for a more mature key management model is realized.

When organizations fully realize that centrally managed key management infrastructure is critical, there is often the challenge to deploy it enterprise-wide. After this realization, a tool is deployed and the journey of moving key management activities to the new infrastructure begins.

For example, we’ve helped ATM service providers disentangle key management from their ATM transaction processing infrastructure to allow them to centralize the security and management of their key lifecycle. In addition, there are many other examples which are not industry-specific, such as developing automation tools that ease deployment of new applications. We’ve found that, with the right knowledge and tools, any organization can get over the hump to a hardware-backed centrally managed infrastructure.

There are several best practices that make key management easier. One of the main requirements of your key management infrastructure is that it should absolutely be powered by robust hardware. You can’t fully “harden” your solution without dedicated hardware certified under the strictest international compliance requirements, such as PCI PTS HSM v3 and FIPS 140-3 Level 3. Your solution also needs to support all of the key management use cases for your organization. You don’t want to let your key management policies start fragmenting. As complexity grows, costs rise and security weakens.

With the wrong tool, your access control policies can easily feel like a tightrope with the wrong tool so you should make them granular enough without making them too overburdensome to manage properly. Most importantly, the lifecycle of your keys, which varies not only from organization to organization but use case to use case, needs to be properly enforced. You need “crypto-agility” to apply your existing infrastructure to new projects with minimal investment.

What application integrations are important to your organization?

Application integrations with Oracle TDE, Microsoft SQL TDE, VMWare vSphere, Apache Tomcat, Google Workspace, and other custom data protection applications should all be considered to determine what makes sense for your organization. The next step is developing a timeline for migrating to a centralized key management infrastructure and determining order.

You’ll want to configure the key management server, define which endpoints have access to use the keying material, define how that access is granted (whether by an external identity provider or newly generated credentials), and configure the application itself.

As you can see, the process of implementing best practices for your organization’s key management can be made much easier with the expert guidance and tools from Futurex. We’re looking forward to the opportunity to help you and your organization along your key management journey.

To learn more about Futurex’s key management solutions, visit Key Management

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Adam Cason is VP of Global and Strategic Alliances at Futurex, where he manages Futurex’s channel, OEM, and technology partner ecosystem. He has a strong technical background and deep knowledge of hardware security modules, cloud security, key management, and enterprise cryptographic ecosystems.

Multi-Cloud, Hybrid Cloud Security: Options and Flexibility

Multi-cloud and hybrid cloud strategies. The cloud is in the top three IT investment priorities for businesses, according to the newest Flexera survey. In fact, our own David Close, chief solutions architect at Futurex, wrote about how enterprises are commonly using multiple clouds for diversification and to fulfill requirements and regulations in his article, Maintaining Control Over Your Security Infrastructure in a Multi-Cloud World.
“The movement toward broad acceptance of cloud-based encryption and key management will accelerate as more of the pieces come together,” adds Ryan Smith, vice president of global business development at Futurex, in his Help Net Security article outlining cryptographic trends. At Futurex, we have definitely seen organizations become more aggressive with the cloud, especially financial services organizations, that are moving toward payment processing in the cloud.
“Financial services is among the sectors looking to [the] cloud to secure workloads. Sophisticated cyberattacks pushed businesses to shape up cloud security strategies… Hybrid cloud is a popular approach as a way to balance security and cost,” echoes Katie Malone in CIO Dive.

We see these as the top cloud trends this year:

  1. The cloud will play a bigger role in financial services
  2. Increased cloud infrastructure deployments and spending across all industries
  3. Prioritization of security in the cloud
  4. Increased hybrid cloud use for cryptographic needs, such as payment processing
  5. More attention to encryption key management

The Importance of Cloud Security, Encryption Key Security

Cloud security continues to be one of the biggest issues concerning IT departments, with 96% of respondents in a recent survey, The State of Cloud Security 2020, expressing concerns. “A fundamental principle of enterprise security is robust key management and ensuring critical data is protected by well-managed encryption processes, wherever the data resides,” states Close.
It’s vital for enterprises to maintain control of their security infrastructure from end to end, a requirement that has become more complex with the advent of the cloud — and multi-cloud. Since encryption keys are what are used to unlock data, enterprises must maintain control over the keys, and have air-tight protections in place to keep them from becoming compromised in any way.
We know that the core of encryption is key management — hardware security modules (HSMs) — are tasked with managing the lifecycle of encryption keys used across an organization’s entire real estate of applications. Sophisticated key management solutions are essential to any cryptographic operation because encrypted information is only as secure as the encryption keys. If the keys are compromised, then so is the encrypted data. I wrote about this in detail in my recent article, Key Management with Acuity: On-Premises, Cloud, Hybrid, published in Infosecurity.

What About a Hybrid Approach?

When it comes to encryption key management and securing cryptographic infrastructures, there are several options for organizations: on-premises, cloud, or hybrid. Today, we have seen many organizations seeking a hybrid model. They like the combination of physically overseeing their own HSMs plus the accessibility and convenience of the cloud. A hybrid approach, using both on-premises HSMs and cloud HSMs, allows organizations to construct an elastic infrastructure model for scalability, backup, and failover.
In fact, Forrester’s research indicates that 74% of enterprises describe their strategy as hybrid/multi-cloud. A recent CISO Mag roundtable, Gearing for Greatness: The Future of India’s BFSI Ecosystem, gathered financial services organizations to weigh in on hybrid approaches to HSMs. Highlights of the webinar are here.
While there is no one-size-fits-all approach when securing your cryptographic infrastructure, there are increasingly more options especially as cloud providers are giving organizations more flexible options such as retaining control of the keys. Organizations can now shift from one cloud provider to another or embrace a multi-cloud strategy.
I think my colleague, David Close, says it best when he recommends, “Whether it’s managing workloads, handling spikes and surges, providing disaster recovery, holding data at rest, or satisfying audit requirements, having a robust key management system as part of your security infrastructure is ever-critical.”

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Adam Cason is VP of Global and Strategic Alliances at Futurex, where he manages Futurex’s channel, OEM, and technology partner ecosystem. He has a strong technical background and deep knowledge of hardware security modules, cloud security, key management, and enterprise cryptographic ecosystems.

Want to centralize and simplify key management functions across multiple clouds, while retaining
control over your data and encryption keys?

Register for our webinar with Encryption Consulting

What You Need to Know About Multi-Cloud Key Management

  • on Wednesday, October 28
  • at 11:00 a.m. CT.


Register Now

What questions should you ask of your cloud provider?

What are critical architectural factors for
implementing cloud key management?

Public cloud vendors

  • Including AWS
  • Google Cloud Platform
  • Microsoft Azure

have their own solutions for encryption key management. While this establishes a high degree of security, organizations lose control over the keys.

Enter BYOK. The industry is trending toward giving customers more control over their cryptographic keys. All of the major cloud vendors now have support for Bring Your Own Key (BYOK), so that organizations can maintain control over the keys used for their data and applications, giving them greater data portability and flexibility. The ability to shift from one cloud provider to another — including multiple cloud providers at once — gives organizations options.

Especially when it comes to managing workloads, handling spikes and surges, and providing disaster recovery — not to mention satisfying audit requirements involving backup or redundancy capabilities.



BYOK allows organizations to encrypt data inside cloud services with their own keys — and maintained within the cloud providers’ vaults — while still continuing to leverage the cloud provider’s native encryption services to protect their data. Win win.

How it works is keys are generated, escrowed, rotated, and retired in an on-premises or cloud hardware security module (HSM). A best practice is to use a FIPS 140-2 Level 3 HSM to more fully address compliance and reporting requirements.

While BYOK offers increased control, it also comes with additional key management responsibilities that are magnified in multi-cloud environments. Every cloud provider has its own set of APIs and its own cryptographic methods for transporting keys. Fundamentally, the processes, procedures and methods for managing keys are completely different across clouds, and not just from an API standpoint, but from architecture and process standpoints with each requiring different key management techniques.

What are best practices for multi-cloud ecosystems?

What are prerequisites for BYOK?

Register for our webinar

What You Need to Know About Multi-Cloud Key Management

to learn about key rotation best practices and how to manage the cryptographic key lifecycle.

Join us — Encryption Consulting and Futurex

  • on Wednesday, October 28
  • at 11:00 a.m. CT.


Register Now

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Adam Cason is VP of Global and Strategic Alliances at Futurex, where he manages Futurex’s channel, OEM, and technology partner ecosystem. He has a strong technical background and deep knowledge of hardware security modules, cloud security, key management, and enterprise cryptographic ecosystems.

Let's talk