Comprehensive key management for maximum security
Sensitive data is a valuable asset that companies safeguard through data encryption. Failure to do so can result in data and security leaks that can cause financial and reputational damage. Often, different tools are used for encryption, making key management even more complicated. Key management solutions help to keep an overview.
A KMS manages the keys required for cryptographic procedures in a company at a central location, provides timely reminders before they expire and provides support throughout the entire key lifecycle.
A wide variety of keys and certificates are used in a company’s infrastructure. Employees do not only access the infrastructure from their workstations. More and more network devices (e.g. printers), tablets and mobile devices are also integrated or access from the home office is made possible. All data that these devices transmit or receive should be sent as encrypted data.
Cryptographic keys and digital certificates
Cryptographic keys are used to sign and encrypt information. Digital certificates are needed to give the keys an identity. A company can generate these itself via its internal Public Key Infrastructure (PKI). However, certificates issued by an external certificate authority (CA) enjoy greater trust.
Key Management in the Internet of Things (IoT)
Cryptographic keys are used in every company network, usually in conjunction with digital certificates. They can be used, for example, to provide e-mails or other documents with digital signatures. In addition, there are now more and more keys for IoT devices such as production machines, locking systems or surveillance cameras, because industry standards recommend encryption when exchanging data to protect these devices. This means an additional challenge in terms of data security and data protection.
Key Management System (KMS)
It is therefore a good idea to use a key management service (KMS). A KMS manages the keys required for cryptographic procedures in a company at a central location, provides timely reminders before they expire and provides support throughout the entire key lifecycle.
A central Enterprise Key Management System thus facilitates an overview of the cryptographic keys in use in the company and in this way prevents unauthorised access. At the same time, the validity of the certificates and keys used is effectively monitored and controlled. In this way, all cryptography keys are managed uniformly and automatically.
Key management ensures that the key is genuine and kept secret. It can generate, store, provision, exchange and protect a large number of keys. Professional tools also offer the possibility of connecting hardware security modules (HSMs) to generate or store keys. In these, the keys are managed even more securely and a higher security level can be achieved. Depending on the HSM manufacturer, audit-compliant reports can also be called up, which contribute to audit security. In addition, automated key management is more reliable than error-prone manual procedures such as Excel lists.
In the asymmetric encryption process with public keys and private keys, the KMS ensures that a public key really belongs to the transmitting person or machine identity and matches the private key. For verification, it contacts a Certificate Authority (CA) or a Trust Centre (TC). In addition, keys and certificates are transmitted to the target systems via secured paths.
Goals of key management
Key management includes the following goals:
- Secure management of large quantities of keys, central overview
- Administration and control of all encryption keys used in the company
- Support of different standards and key types
- Protection of keys from hackers and unauthorised access
- Access to keys only for authorised persons
- Audit security through adherence to compliance guidelines and legal requirements
- Encyrption keys in the company can be analysed. Detection of weaknesses and proactive replacement
- Process automation
Functions of key management
Key management includes the following functions, among others:
- secure communication, e.g. with CAs and TCs
- Creation of cryptographic keys using various encryption and signature algorithms
- Storage and provision of key material
- Secure transmission of keys
- Revocation and destruction of compromised or invalid keys
- Logging of key-related actions in the KMS
The key management protocol KMIP
Applications and systems must therefore be able to exchange information with key management systems in a secure way. The Key Management Interoperability Protocol KMIP was developed for this purpose. KMIP enables. Via this standardised communication protocol, different systems can be linked for cryptographic operations. In this way, central key management is made possible.
A special case is the encryption of cloud data. Data stored in the cloud must be protected from unauthorised access by the cloud operator (e.g. amazon web services). The associated keys must therefore be stored separately from the data requiring protection. In such cases, hardware-based modules are used. The Amazon Web Services KMS (AWS KMS) offers a BYOK option (Bring Your Own Key) for this purpose. For Microsoft 365, on the other hand, there is Double Key Encryption (DKE).
Hardware security modules
In many cases, hardware security modules (HSMs) offer optimal/extended protection and allow a higher level of security to be achieved. HSMs are independent hardware components that serve to secure cryptographic procedures. They are suitable for generating signature and encryption keys and offer services to perform cryptographic operations with the keys. One of these, for example, is to authenticate blockchain transactions.
Since decryption of the cloud data is only possible via the separate and tamper-proof HSM, an additional layer of security is created. In addition, some HSMs, depending on the manufacturer, also have a functionality that they destroy themselves if manipulations are detected, e.g. opening / unscrewing the hardware.
An example of a key management service is the one from AWS (Amazon Web Services). AWS KMS uses validated hardware security modules and a so-called KMS Key (Key Management Service Key). The fail-safe service thus enables cryptographic keys to be created, managed and protected centrally.
Key Management in the Context of Standards (DIN EN ISO/IEC 27001, National Institute of Standards and Technology / NIST Framework)
The fact that the proper management of cryptographic keys (encryption keys) is a relevant topic is made clear by their mention in ISO 27001 and the NIST Framework. In the course of setting up an information security management system (ISMS), ISO27001 requires the use of cryptography in the company as point A.10 in the appendix. The standard requires
- to define guidelines for the use of cryptographic measures to protect information
- to develop a policy for the use, protection and lifetime of cryptographic keys and to implement their entire life cycle (key management).
In addition, the National Institute of Standards and Technology (NIST) in the USA has defined a framework that provides guidance on the design and implementation of cryptographic key management (A Framework for Designing Cryptographic Key Management Systems). This framework also deals with the definition of specifications, standards and roles for the secure handling of keys. It also clarifies the requirements for a KMS tool.
essendi xc. Simple and smart.
essendi xc provides connection options for HSMs from renowned providers in order to ensure the high level of protection required for your key material and/or to connect HSMs that are already in the SSL/TLS environment.
As a fully comprehensive management system for all types of X.509 certificates (CKMS), essendi xc covers the complete certificate life cycle with the help of key policies and status monitoring. It supports your organisation in handling certificates and their keys: from application and installation to renewal or archiving of expired certificates. Since xc can generate audit-compliant and audit-proof reports, it supports the implementation of ISMS in line with ISO 27001 and the NIST framework.
Our central dashboard gives you a graphical overview of your certificate inventory using different charts. You can evaluate it, for example, by signature algorithm or by certification authority. For more information, please visit xc.essendi.de.