The stratospheric rise in the number of global cybersecurity attacks cast a floodlight on the critical need to follow best practices with encryption and security in general. Adopting an inside-out mindset is one thing; putting it into practice is another.
To assist, the team at Cryptomathic has compiled a list of five key pointers to better cryptographic key management to help organizations jumpstart the journey.
Tips for Better Cryptographic Key Management
1. Start with really good keys — and an inventory scan. Without a doubt, the most important thing you can do is make sure that your organization is using high-quality keys. If you don't use good keys, what's the point? You're building a house of cards.
Creating good keys requires knowing where the keys come from and how they were generated. Did you create them on your laptop or with a pocket calculator, or did you use a purpose-built tool designed specifically for the job? Do they have enough entropy? From generation, to usage, to storage, the keys should never leave the secure boundaries of a hardware security module (HSM) or a similar device.
Chances are, your organization is already using keys and certificates — do you know where they reside? Who has access to them and why? Where are they stored? How are they managed? Create an inventory of what you have and then start to prioritize the clean-up and centralization life cycle management for those keys, certificates, and secrets.
2. Analyze your entire risk profile across your whole environment. You can create the most brilliant, thorough, and comprehensive cybersecurity strategy, but ultimately, it will only be successful if everyone in your organization buys in and complies with it. That's why it's important to develop a risk management strategy with input from representatives from across the business. Include compliance and risk people from the beginning to keep the process honest. For the security processes and protocols to be meaningful, they must include everyone from IT people to the business units who bring use cases and can go back and explain to their peers why the security steps are necessary.
3. Make compliance an outcome, not the ultimate objective. This might sound counterintuitive, but hear me out. Even though compliance is incredibly important, there's an inherent risk to using regulatory compliance as the sole driver of your strategy. When systems are designed to simply tick the boxes on a regulatory checklist, organizations miss the broader, more important point: to design and build for better security.
Instead, use regulations and security standards as a guideline for the minimum set of requirements and then make sure that your efforts actually address your security and business needs going forward. Don't let compliance be a distraction from the real objective.
4. Balance security with usability. How does security affect usability? Have you created a system that's so secure that it's impractical for most users? It's imperative to find a balance between security and the user experience, and to make sure that the security processes don't hinder people from actually doing their work. For example, multifactor authentication can be a great way to make access more secure, but if it's not implemented correctly, it can cause workflows to break down and efficiency to take a nosedive.
5. Be a specialist … that knows when to call an expert. Key management is serious business and should be treated as such. Someone in your organization should become really proficient at understanding the tools and technology to establish good key management practices at the core of everything your organization does.
At the same time, it's equally important to recognize when you need expert support, like when your organization has too many keys to manage. The National Institute for Standards and Technology (NIST) publishes a huge document that lays out recommendations for everything that should and shouldn't be done to establish good key management practices. Cryptography professionals deep-dive into these recommendations to make sure that the cryptographic tools and key management solutions offered meet these standards. That way, when your organization needs additional support for the key management process, you'll have the framework to evaluate the options and find the expertise you need to secure your assets effectively.