The Importance of Cryptographic Key Management & Cryptographic Audit
After all, whoever controls the keys, controls the kingdom.
Most experts agree that encryption is the cornerstone of security, and helps you achieve a higher level of resilience against data misuse, theft or breach.
Encryption has actually been around for millennia. Historically, encrypted data was stored on servers which was kept on premises andover which the company had direct control. Back in the day, it was enough to protect your perimeter by means of logical and physical countermeasures.
However, as more and more organizations move data to the cloud, encryption becomes a bit more complicated. Despite the fact that the cloud has many benefits, both economically and operationally, data security remains a top concern in cloud adoption. A primary question organizations continue to ask is, “how can I trust that my data is safe while it resides in someone else’s infrastructure?” For many security professionals, one of the challenges that arises with cloud computing is that they are faced with somehow protecting resources that, to varying degrees, they no longer have control over and for which traditional security controls ineffective. Another complicating factor is that most organizations will not move all, or even most of their data to the cloud, resulting in a hybrid-cloud situation.
At the end of the day, organizations want to:
· “Enjoy” the flexibility & scalability of the cloud
· Also keep their data secure, especially if they are storing other people’s sensitive data — If your customers don’t trust you to keep their information safe and secure, they won’t do business with you.
· Use technologies that both comply with regulatory requirements and support unique workflows and business requirements
How can organizations achieve all of these seemingly competing goals?
The answer lies in encryption, or more specifically key management. How your organization handles encryption keys, revokes or rotates them when needed, etc. is critical, since whoever controls the keys literally owns the data. History has given us plenty of examples of how either weak cryptography or bad key management can be worse than having no encryption in the first place, since it provides a false sense of security.
To design and implement strong key management practices, the first step is actually a cryptographic audit which identifies every system within your organization where cryptography is used, what algorithms are in place, whether their certifications are current, and where cryptographic keys are stored. A complete cryptographic audit of your systems must be done to find old, weak, vulnerable, or hard-coded cryptography that lurks in dark corners of your systems. Taking the time to verify that the cryptography you are using is being used correctly is also essential.
So let’s backtrack. As organizations move their data among different sites, on-prem, in the public/private cloud and other virtualized environments, the challenge to protect data via encryption is compounded by the thousands of keys that need to be managed at any given moment. Therefore, organizations must know what is going on in their cryptographic arsenal in order to manage it properly. And that’s where cryptographic audit is crucial.
Historically, organizations treated encryption as a tick box that needs to be checked, but with a seemingly endless parade of data breaches and increasing regulatory requirements — for organizations collecting, processing and storing massive amounts of sensitive data, management of the cryptographic lifecycle should be more than an afterthought but rather the foundation of their security architecture. After all, whoever controls the keys, controls the kingdom.