The Business Case for Protecting the Keys to the Kingdom

The Business Case for Protecting the Keys to the Kingdom

An enterprise key management system can prevent data breaches, produce efficiency savings, simplify compliance, and enable digital transformation.

In the battle for security budget funding, enterprise key management isn’t nearly as sexy as technologies such as threat hunting or blockchain cybersecurity. Nevertheless, a key management system (KMS) is a behind-the-scenes workhorse that manages and protects the very keys that can open the kingdom. While a KMS is likely already a line item in the annual security budget, an investment to modernize a KMS to extend data security to the cloud will certainly pay dividends by reducing the risk of a data breach.

What is key management, and why is it necessary? Key management is the practice of administering the lifecycle of cryptographic keys in accordance with best practices such as those defined by the National Institute of Standards and Technology (NIST). In its “Recommendation for Key Management,” NIST states:

“The proper management of cryptographic keys is essential to the effective use of cryptography for security. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with the keys, and the protection afforded to the keys.”

The fundamental requirements of key management are to generate cryptographically strong keys, protect the keys against disclosure or alteration, and provide effective controls for managing and using keys.

What is a Key Management System?
While encryption is built into many products today, the capabilities for generating and storing keys are often rather rudimentary and generally fall short of standards such as NIST SP 800-57. Electronic key management systems are commonly used to consolidate and centralize the management of keys across the enterprise in accordance with industry standards and best practices for data security.

A central capability of any KMS is systematic management of keys over their entire lifecycle, including generation, import/export, distribution, usage, update, backup, revocation, and deletion. A KMS should also provide controls to ensure that keys can be accessed only by authorized individuals and systems and used only for their intended purposes. All key operations should be logged for audit and compliance purposes.

As a business-critical system, a KMS must ensure that keys are always available when and where required, and that they are fully protected against permanent loss (whether accidental or malicious).

The Need for and Benefits of an Enterprise KMS
Large organizations typically have many different tools and systems for managing keys across different parts of their infrastructure, both on-premise and within different public clouds. Often, this has evolved organically over time, without a single unifying strategy or technical approach. The result is inefficient and often incompatible solutions that make it difficult to apply consistent policies and controls across the organization and to complete compliance audits. Organizations may not know where all their keys are, who has access to them, what they are used for, whether they are updated regularly, or when they were last used. This is a data breach waiting to happen.

To address these issues, organizations should replace this fragmented key management ecosystem with a single, centralized KMS for the entire enterprise. There are many benefits of using an enterprise KMS, including:

Risk reduction. A KMS enhances the organization’s security posture by preventing the loss, compromise, and misuse of encryption keys.

Efficiency and cost reduction. Such a system provides many opportunities for increasing efficiency and reducing cost; for example, eliminating manual processes, and reducing the number of skilled resources required to manage keys.

Compliance. An enterprise KMS enables organizations to easily maintain and demonstrate adherence to standards, policies and regulations.

Flexibility and agility. Enterprises are adopting new ways of working, such as Continuous Integration / Continuous Delivery (CI/CD). To enable a secure-by-default DevSecOps approach, developers must be able to use cryptography easily via a REST API that supports the on-demand creation and use of keys and digital certificates.

Building the Business Case for an Enterprise KMS
The benefits of using an enterprise KMS are clear, which makes building the business case to invest in such a solution relatively straightforward.

The first step is to recognize the limitations and risks of continuing without one. Perhaps the organization has one or more old key management systems that once met the organization’s needs but are no longer adequate or effective in the face of today’s security, efficiency, compliancy, and agility demands. Consider the cost of operating and maintaining outdated systems and the risk of a data breach should a key be compromised.

The second step is to identify the main driver for change, which will depend on where the organization sees the greatest challenges:

Data breach prevention. Risk reduction if often the main justification for deploying an enterprise KMS. The business case will offset the cost of the solution against the cost of a data breach, which could result in fines, lawsuits, and extensive reputational damage. The chosen solution should have a strong underlying security architecture and meet industry standards such as FIPS 140-2.

Cost savings. More tangibly, consolidating key management can provide a significant return on investment by reducing the cost of operations -- both tools and people. The chosen solution should be flexible enough to support the existing use cases, and scale to meet future capacity demands, support new technologies, and adapt to changing business requirements.

Audit findings. Failing either internal or external compliance audits can be a strong justification for an enterprise KMS. Such a system enables standardization and enforcement of policies and controls, providing evidence in the form of an audit log. The chosen solution should provide the necessary tools to enforce the organization’s policies and provide detailed audit logs.

Cloud migration. Hybrid- and multi-cloud infrastructures require a modern, cloud-friendly enterprise KMS solution that is cloud-agnostic, supports DevOps / DevSecOps methodologies, and offers a comprehensive REST API, while still supporting legacy on-premise applications. A strong KMS solution can help accelerate the movement of workloads to the cloud.

Proper key management is a critical foundation for security and compliance. Enterprise key management is the only way to effectively and efficiently secure keys, and by extension the data they protect, while also supporting and enabling digital transformation.

An enterprise KMS should be a strategic enterprise tool that enables the organization to unlock the power of its data by securing it throughout its lifecycle. By enhancing security, eliminating inefficiency, simplifying compliance, and enabling business transformation, the ROI can be significant and rapidly cover the initial investment cost, with savings continuing to accrue over time.

Featured

  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity

Webinars

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3