A Cost-Effective Encryption Strategy Starts With Key Management

Companies have a problem with encryption: While many businesses duly encrypt sensitive data, there is no standard strategy for deploying and managing a key-management infrastructure.

Every organization needs to make a large number of decisions in designing a key-management policy that works for their business, Karen Reinhardt, principal engineer for cryptographic services at Home Depot, told attendees at the RSA Conference in San Francisco last week.

"One size does not fit all," she said.

Some cloud-native startups can manage much, if not all, of their encryption keys in the cloud, while large enterprises with legacy technology likely need a locally hosted system and hybrid infrastructure. Some groups, such as developers, may be able to manage their own infrastructure, while general employees need their keys managed for them. Finally, every company needs to take into account the post-quantum future, Reinhardt said.

Encryption is a necessary technology for securing data and systems, but there is more to data security than just encrypting the data. Perhaps the most complex part of any encryption infrastructure is managing the keys needed to decrypt data. If the attacker has access to the keys, they have access to the encrypted data; defenders who lose access to the keys lose access to data.

Reinhardt outlined five points enterprise security teams should consider to "keep everybody from putting their proverbial key under their doormat, which is a problem I see all the time."

1. Data Availability Requires Decryption

The first lesson for companies is that encryption keys are critical — perhaps more critical than proper encryption. Data is unusable if you can't decrypt it, so knowing where the decryption keys are is often much more important than knowing the location of the encryption keys, said Reinhardt.

Organizations should always have a controlled archive of decryption keys, she said.

"The thing about identity is you can always replace it — OK, you lost your driver's license. Let me get you a new one," Reinhardt said. "But if you have data that's encrypted with something, you can only decrypt it one way."

2. 'Encrypt Everything' Might Not Be Worth It

Security controls continue to be expensive to implement, and encryption is no exception. Companies need to measure the cost of creating and managing encryption infrastructure against the cost of a breach to find their "optimum security at minimum cost," Reinhardt said.

"Security does you no good if you bankrupt your company," she said. "Stronger controls almost always equal more money, so [while I'm] not actually against 'encrypt everything,' it's a lot of money, a lot of processing, a lot of extra memory — so I'm more of a fan of focus on what really needs to be kept secret."

3. Cloud Changes Everything But Gives You Options

Companies moving more of their infrastructure to cloud services and platforms are already trying to control data sprawl; cloud-native key management adds key sprawl to the equation as well. Companies need to take stock of not only their critical data — what needs to be encrypted — but also how each cloud service manages its keys and other secrets and whether the company can centralize management to increase control.

"Where are the keys? Well, a lot of times, they're in a local key store sitting on a system. And in other cases, they can be in a remote store," Reinhardt said. "They could be anywhere these days — on-prem, in the cloud, [hosted by] a vendor, or in your own managed cloud."

4. Legacy Integration Remains a Headache

Smaller companies just starting out with key management can create greenfield key management and take advantage of the latest technologies to simplifying their infrastructure and strengthen control over their data. Yet large companies that already have a variety of key management technologies in place will have to support legacy applications and databases.

"If you're a fairly new company with a greenfield implementation, you might not have the same integration requirements of a company that's been around for 100 years," she said.

Cloud-based encryption infrastructure, such as hardware security modules — secure storage for key data and operations — can help make implementation simpler and make integration with legacy technology easier.

5. Post Quantum Means Every Asymmetric Key Must Be Replaced

Finally, every company needs to consider the post-quantum future and make sure that their key infrastructure can generate quantum-safe keys. As quantum-computing technology advances, public-key encryption will need to evolve and use stronger keys generated by more modern algorithms.

"Post-quantum means every asymmetric key has to be replaced, so you need to know where they are," Reinhardt said. "And that is the big advantage of a key management system — or any sort of centralized management system. It will make finding your keys, and rotating them, much easier."