Unlocking best practices for successful encryption key management

W. Curtis Preston answers your questions SearchSecurity.com's live webcast, premiering Wednesday, Feb. 21, 2007 at 12:00 noon ET, reviews the risks of today's backup encryption methods.

The first reason is that data-in-flight encryption has no concept of key memory. Once you move from one key to another, the old key is no longer necessary. However, when encrypting stored data, keys are changed on a regular basis, and the old keys must be kept; otherwise old data encrypted with that key won't be readable. The second reason is that there is no way to rebuild the connection if it is lost. If a VPN breaks due to a corrupted or lost key, all you have to do is rebuild it. However, if you lose or corrupt a key that you used to store a particular piece of data, then that data is lost forever. That's why a good key management system must keep track of which keys were used where, and must make sure that no one has access to those keys.

There are two primary types of key systems used for storing encrypted data today: single-key and multiple-key systems. A single-key system uses some type of key to encrypt the data, and simple possession of that key is all that is needed to decrypt it. If a black hat obtains that key, he or she will be able to read your encrypted data. This is the most rudimentary of all key systems.

Therefore, the first thing to do with a single key system is to create a log of keys that were used in the system and when they were used. This would include the current key and any previous keys that were used to create tapes that you are still using to store data. If there is ever any possibility that a key has been compromised, change the key immediately, and make note of that in the key log.

More on encryption key management Use encryption to meet PCI Data Security Standard requirements. Save money without sacrificing database security.

The second thing you must do with a single key system is to place your own process around the storage of the key log. Do whatever you can do to ensure that no single person can obtain access to the key log. For example, store the key log separately from your tapes, and ensure that at least two people must sign another log to gain access to the key log.

Multiple key systems are very different. These use one set of keys for encrypting the data, and another set of keys for authenticating administrators. The administrators never actually see the keys used to encrypt the data; they only see their username and key. Even if an administrator would be able to steal a copy of the database used to store the encryption keys, he or she would not be able to use them to read your backup tapes unless he or she had a system that was authorized to use the keys.

The way such a system is authorized to use these keys varies from vendor to vendor, but one approach is to use the concept of a key quorum. This is where multiple users must enter their username and key -- and sometimes insert a physical key card -- in order to authorize a new system. Once that's been done, the encryption keys may be used in that system. This prevents a single rogue employee from stealing your tapes and encryption keys and making any sense of them.

About the author:
W. Curtis Preston is vice president of data protection at consultancy Glasshouse Technologies. He is also the author of "The Storage Security Handbook," "Using SANs and NAS," and "Unix Backup and Recovery." Preston has also contributed numerous data protection articles to leading IT publications and has been designing and implementing data protection systems for more than 12 years. Currently he consults on data protection with end users from Fortune 100 and Fortune 500 companies, as well as with vendors around the world. Preston is also one of the mostly highly rated presenters each year at Information Security Decisions.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Screencast: Recovering lost data with WinHex How to build security into a virtualized server environment How to install and configure Nessus How to run a Nessus system scan Nessus: Vulnerability scanning in the enterprise Screencast: An introduction to the Open Source Security Testing Methodology Manual (OSSTMM) Understanding multifactor authentication features in IAM suites Network intrusion prevention systems: Should enterprises deploy now? Webmail security: Best practices for data protection Vista WIL: How to take control of data integrity levels Disk Encryption and File Encryption Websense, Reconnex top Forrester ranking of DLP vendors Embedded Security Safeguards Laptops Should whole disk encryption products be used with data backup software? Does FTPS encrypt data packets at the hardware or software level? Should disks be encrypted at the hardware level? Is Triple DES a more secure encryption scheme than DUKPT? Windows BitLocker: Enabling disk encryption for data protection NAC, disk encryption gaining attention, survey shows Symantec fills gap with whole disk storage encryption Case Study: Company Deploys Full-Disk Encryption on All Laptops Data Backup Should whole disk encryption products be used with data backup software? Will one failed drive corrupt the rest of a RAID-5 array? The Craft of System Security Can confidential data be accessed once it is deleted for free space? Examining DoD-level secure erasure guidelines What is the relationship between open port range and overall security risk? Compliance, data breaches heighten database security needs Are encryption products better than self-destructing data? What is a logic bomb? What should be done with a RAID-5 array's failed drives? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) quantum cryptography  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.