Tip

Unlocking best practices for successful encryption key management

    Requires Free Membership to View

W. Curtis Preston
answers your questions

SearchSecurity.com's live webcast, premiering Wednesday, Feb. 21, 2007 at 12:00 noon ET, reviews the risks of today's backup encryption methods.

There are two reasons why "data-in-flight" key management systems won't work when encrypting data "at rest."

The first reason is that data-in-flight encryption has no concept of key memory. Once you move from one key to another, the old key is no longer necessary. However, when encrypting stored data, keys are changed on a regular basis, and the old keys must be kept; otherwise old data encrypted with that key won't be readable. The second reason is that there is no way to rebuild the connection if it is lost. If a VPN breaks due to a corrupted or lost key, all you have to do is rebuild it. However, if you lose or corrupt a key that you used to store a particular piece of data, then that data is lost forever. That's why a good key management system must keep track of which keys were used where, and must make sure that no one has access to those keys.

There are two primary types of key systems used for storing encrypted data today: single-key and multiple-key systems. A single-key system uses some type of key to encrypt the data, and simple possession of that key is all that is needed to decrypt it. If a black hat obtains that key, he or she will be able to read your encrypted data. This is the most rudimentary of all key systems.

Therefore, the first thing to do with a single key system is to create a log of keys that were used in the system and when they were used. This would include the current key and any previous keys that were used to create tapes that you are still using to store data. If there is ever any possibility that a key has been compromised, change the key immediately, and make note of that in the key log.

More on encryption key management

Use encryption to meet PCI Data Security Standard requirements.

Save money without sacrificing database security.
The second thing you must do with a single key system is to place your own process around the storage of the key log. Do whatever you can do to ensure that no single person can obtain access to the key log. For example, store the key log separately from your tapes, and ensure that at least two people must sign another log to gain access to the key log.

Multiple key systems are very different. These use one set of keys for encrypting the data, and another set of keys for authenticating administrators. The administrators never actually see the keys used to encrypt the data; they only see their username and key. Even if an administrator would be able to steal a copy of the database used to store the encryption keys, he or she would not be able to use them to read your backup tapes unless he or she had a system that was authorized to use the keys.

The way such a system is authorized to use these keys varies from vendor to vendor, but one approach is to use the concept of a key quorum. This is where multiple users must enter their username and key -- and sometimes insert a physical key card -- in order to authorize a new system. Once that's been done, the encryption keys may be used in that system. This prevents a single rogue employee from stealing your tapes and encryption keys and making any sense of them.

About the author:
W. Curtis Preston is vice president of data protection at consultancy Glasshouse Technologies. He is also the author of "The Storage Security Handbook," "Using SANs and NAS," and "Unix Backup and Recovery." Preston has also contributed numerous data protection articles to leading IT publications and has been designing and implementing data protection systems for more than 12 years. Currently he consults on data protection with end users from Fortune 100 and Fortune 500 companies, as well as with vendors around the world. Preston is also one of the mostly highly rated presenters each year at Information Security Decisions.

This was first published in February 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.