Key management challenges and best practices

Data protection is driving financial services firms to implement various encryption products, including full-disk encryption (FDE) for notebook computers and either full- or partial-field encryption on databases. One thing that can't be overlooked is the need for proper key management.

More on encryption: Laptop encryption options Encryption methods for financial organizations

For the purposes of this article, key management refers to all procedures related to generation, exchange, storage, safeguarding, use and replacement of keys.

Key management challenges
The proper management of cryptographic keys is essential to the effective use of encryption products. Loss or corruption of these keys can lead to loss of access to systems and data, as well as making a system completely unusable unless it is reformatted and reinstalled.

Key management is a challenge that grows with the size and complexity of your environment. The larger your user base, the more diverse your environment, or the more distributed they are, the greater the challenge will be. Some of the bigger challenges involve:

User training and acceptance
End users are your first customer, and let's face it -- users don't like change. While not actually part of the key management process, user acceptance can be a huge impediment to the success of any project. It will be especially important if the user experience is changed in any way. Mitigate this problem as much as possible by researching the products in advance. Find out what the impact is to the users in the areas of application or system interface (logins), latency due to the encryption process, and difficulties in key recovery or resetting the users key or passwords. Run a pilot program with actual users as part of the project. Listen to their feedback and develop appropriate training to address their specific concerns or difficulties. Develop system bench marks for performance, both before and after the product is implemented. If it will now take 10 seconds more to complete a particular task, make sure the user knows this in advance. In other words, manage user expectations.

System administration, maintenance and key recovery
These issues are likely to have a huge impact on the organization and must be addressed to the vendor before you make your purchase:

• How are the keys managed?
  Key management is a task that does not scale well. On an enterprise scale, manual key management simply isn't feasible. Ideally, key management should integrate with the existing infrastructure (such as Active Directory) while providing easy administration, secure key delivery and recovery.

• Is there a recovery process?
  Key recovery is critical when an employee leaves the organization without a proper turnover, or if a key becomes damaged and can no longer be used. Recovery should be a simple, but secure process. Key generation should be restricted to an appropriate person(s). For example, one product's process allows a recovery key to be split into several parts. The individual parts of the recovery key can be distributed to different security officers. The owners of each part must be present when the key is used. This process is simple (driven by a software wizard) yet secure because it requires several parties to recreate the key.

• What about password resets?
  Forgotten passwords could create an additional impact on the service center and support staff. Thus, the process should not only be simple, but also flexible. Remote and off-network employees need to be considered as well as in-house employees. Remote key recovery is a must have feature.

Many vendors support a challenge/response procedure to allow remote password resets. In this scenario, a challenge code is generated by the system. The user then calls their administrator and tells them their user information and the challenge code. The administrator then generates a response code, which the user enters to reset their password.

• How complex is it for the users?
  Let's face it, users want things to be simple, and they don't like change. Products shouldn't change the look and feel, and should have a minimal impact on the user experience.

In the end, know what you're buying and how it will impact your organization.

Best practices
Where do financial organizations who haven't dealt with key management issues turn for help? The specifics of cryptographic key management are largely handled behind the scenes by the cryptographic software modules, where the standards and best practices are well established. The National Institute of Standards and Technology (NIST) develop standards for government agencies, but these standards can be applied in any business community. NIST has provided a publication known as Special Publication (SP) 800-57, Recommendations for Key Management Part 1 (.pdf) and SP 800-57 Part 2 (.pdf). NIST has also developed overall encryption requirements, generally referred to as FIPS 140-2, Security Requirements for Cryptographic Modules (.pdf). This is generally a good starting point when discussing encryption products with your vendors.

In the meantime, here are a few industry best practices to get you started:

• The usability and scalability of enterprise key management should be the primary focus in looking at products. The ability to leverage existing assets should play a large role in decision making. Integration with an Active Directory environment for authentication will reduce costs and eliminate the need for redundant systems.

• Two-factor authentication is a necessary security measure for financial organizations. Due to increased processing power and the capabilities of today's computers, the strength of passwords alone is no longer sufficient.

• FDE is a more secure tool than file/folder encryption. FDE does away with most user errors, and makes sure there is no unencrypted space on the disk to save files.

Products
There are a large number of products available, and this market space is growing rapidly. There has also been recent movement of large companies acquiring smaller companies and startups. Here are some of the key players:

• Pretty Good Privacy (PGP)
  PGP has been around for a number of years, and is a recognized industry leader.

• PointSec
  PointSec disk encryption for PCs has been around for years, and was recently acquired by Checkpoint Systems Inc.

• Safeboot
  Safeboot is an established product as well. It was recently acquired by McAfee Inc.

• WinMagic (SecureDoc)
  WinMagic Inc. has been a leader in disk encryption for a while. It was the first product to receive its AES validation from NIST, and the first and only FIPS 140-1 Level 2 certification.

• Entrust Entelligence Disk Security
  Entrust Inc. has been in the PKI market for a long time. They are a known and trusted provide that will likely survive all the mergers and acquisitions intact.

Data encryption and FDE are not new technologies, but the product offerings are evolving rapidly in response to new challenges and regulatory requirements. Evaluate products carefully and know where they came from. Some well-known companies have bought some unknown products to fill this niche. Make sure the products have the maturity and depth of features to meet your organizational needs, as well as regulatory requirements.

About the author:
Randy Nash is CISSP with more than 25 years of professional experience in information security, system security, network security, personnel security, and physical security. First certified in ADP security and risk assessment in 1984, he has a long history of work with civilian, military and government entities. Randy also maintains the security website @RISK Online, where he regularly posts projects and articles on a wide variety of security topics.