The Business Case for Protecting the Keys to the Kingdom

The Business Case for Protecting the Keys to the Kingdom

An enterprise key management system can prevent data breaches, produce efficiency savings, simplify compliance, and enable digital transformation.

In the battle for security budget funding, enterprise key management isn’t nearly as sexy as technologies such as threat hunting or blockchain cybersecurity. Nevertheless, a key management system (KMS) is a behind-the-scenes workhorse that manages and protects the very keys that can open the kingdom. While a KMS is likely already a line item in the annual security budget, an investment to modernize a KMS to extend data security to the cloud will certainly pay dividends by reducing the risk of a data breach.

What is key management, and why is it necessary? Key management is the practice of administering the lifecycle of cryptographic keys in accordance with best practices such as those defined by the National Institute of Standards and Technology (NIST). In its “Recommendation for Key Management,” NIST states:

“The proper management of cryptographic keys is essential to the effective use of cryptography for security. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with the keys, and the protection afforded to the keys.”

The fundamental requirements of key management are to generate cryptographically strong keys, protect the keys against disclosure or alteration, and provide effective controls for managing and using keys.

What is a Key Management System?
While encryption is built into many products today, the capabilities for generating and storing keys are often rather rudimentary and generally fall short of standards such as NIST SP 800-57. Electronic key management systems are commonly used to consolidate and centralize the management of keys across the enterprise in accordance with industry standards and best practices for data security.

A central capability of any KMS is systematic management of keys over their entire lifecycle, including generation, import/export, distribution, usage, update, backup, revocation, and deletion. A KMS should also provide controls to ensure that keys can be accessed only by authorized individuals and systems and used only for their intended purposes. All key operations should be logged for audit and compliance purposes.

As a business-critical system, a KMS must ensure that keys are always available when and where required, and that they are fully protected against permanent loss (whether accidental or malicious).

The Need for and Benefits of an Enterprise KMS
Large organizations typically have many different tools and systems for managing keys across different parts of their infrastructure, both on-premise and within different public clouds. Often, this has evolved organically over time, without a single unifying strategy or technical approach. The result is inefficient and often incompatible solutions that make it difficult to apply consistent policies and controls across the organization and to complete compliance audits. Organizations may not know where all their keys are, who has access to them, what they are used for, whether they are updated regularly, or when they were last used. This is a data breach waiting to happen.

To address these issues, organizations should replace this fragmented key management ecosystem with a single, centralized KMS for the entire enterprise. There are many benefits of using an enterprise KMS, including:

Risk reduction. A KMS enhances the organization’s security posture by preventing the loss, compromise, and misuse of encryption keys.

Efficiency and cost reduction. Such a system provides many opportunities for increasing efficiency and reducing cost; for example, eliminating manual processes, and reducing the number of skilled resources required to manage keys.

Compliance. An enterprise KMS enables organizations to easily maintain and demonstrate adherence to standards, policies and regulations.

Flexibility and agility. Enterprises are adopting new ways of working, such as Continuous Integration / Continuous Delivery (CI/CD). To enable a secure-by-default DevSecOps approach, developers must be able to use cryptography easily via a REST API that supports the on-demand creation and use of keys and digital certificates.

Building the Business Case for an Enterprise KMS
The benefits of using an enterprise KMS are clear, which makes building the business case to invest in such a solution relatively straightforward.

The first step is to recognize the limitations and risks of continuing without one. Perhaps the organization has one or more old key management systems that once met the organization’s needs but are no longer adequate or effective in the face of today’s security, efficiency, compliancy, and agility demands. Consider the cost of operating and maintaining outdated systems and the risk of a data breach should a key be compromised.

The second step is to identify the main driver for change, which will depend on where the organization sees the greatest challenges:

Data breach prevention. Risk reduction if often the main justification for deploying an enterprise KMS. The business case will offset the cost of the solution against the cost of a data breach, which could result in fines, lawsuits, and extensive reputational damage. The chosen solution should have a strong underlying security architecture and meet industry standards such as FIPS 140-2.

Cost savings. More tangibly, consolidating key management can provide a significant return on investment by reducing the cost of operations -- both tools and people. The chosen solution should be flexible enough to support the existing use cases, and scale to meet future capacity demands, support new technologies, and adapt to changing business requirements.

Audit findings. Failing either internal or external compliance audits can be a strong justification for an enterprise KMS. Such a system enables standardization and enforcement of policies and controls, providing evidence in the form of an audit log. The chosen solution should provide the necessary tools to enforce the organization’s policies and provide detailed audit logs.

Cloud migration. Hybrid- and multi-cloud infrastructures require a modern, cloud-friendly enterprise KMS solution that is cloud-agnostic, supports DevOps / DevSecOps methodologies, and offers a comprehensive REST API, while still supporting legacy on-premise applications. A strong KMS solution can help accelerate the movement of workloads to the cloud.

Proper key management is a critical foundation for security and compliance. Enterprise key management is the only way to effectively and efficiently secure keys, and by extension the data they protect, while also supporting and enabling digital transformation.

An enterprise KMS should be a strategic enterprise tool that enables the organization to unlock the power of its data by securing it throughout its lifecycle. By enhancing security, eliminating inefficiency, simplifying compliance, and enabling business transformation, the ROI can be significant and rapidly cover the initial investment cost, with savings continuing to accrue over time.

Featured

  • Progressing in Capabilities

    Progressing in Capabilities

    Hazardous areas within industries like oil and gas, manufacturing, agriculture and the like, have long-sought reliable video surveillance cameras and equipment that can operate safely in these harsh and unpredictable environments. Read Now

  • A Comprehensive Nationwide Solution

    A Comprehensive Nationwide Solution

    Across the United States, manufacturing facilities, distribution centers, truck yards, parking lots and car dealerships all have a common concern. They are targets for catalytic converters. In nearly every region, cases of catalytic converter thefts have skyrocketed. Read Now

  • Planning for Your Perimeter

    Planning for Your Perimeter

    The perimeter is an organization’s first line of defense and a critical element of any security and surveillance program. Even if a building’s interior or exterior security is strong, without a solid perimeter surveillance approach any company or business is vulnerable. Read Now

  • The Key Issue

    The Key Issue

    It is February 2014. A woman is getting ready in her room on a cruise ship when she hears a knock on the door; it is a crewmember delivering breakfast. She is not presentable so she tells him to leave it by the door. Read Now

Featured Cybersecurity

New Products

  • XS4 Original+

    XS4 Original+

    The SALTO XS4 Original+ design is based on the same proven housing and mechanical mechanisms of the XS4 Original. The XS4 Original+, however, is embedded with SALTO’s BLUEnet real-time functionality and SVN-Flex capability that enables SALTO stand-alone smart XS4 Original+ locks to update user credentials directly at the door. Compatible with the array of SALTO platform solutions including SALTO Space data-on-card, SALTO KS Keys as a Service cloud-based access solution, and SALTO’s JustIn Mobile technology for digital keys. The XS4 Original+ also includes RFID Mifare DESFire, Bluetooth LE and NFC technology functionality. 3

  • SecureAuth

    SecureAuth

    The acceleration of digital transformation initiatives as a result of COVID-19 has created a lasting impact on how businesses empower their workforce and engage customers. 3

  • PDK IO Access Control Software

    PDK.IO Access Control Software

    ProdataKey now allows for "custom fields" within the interface of its pdk.io software. Custom fields increase PDK's solutions' overall functionality by allowing administrators to include a wide range of pertinent data associated with each user. 3