February 19, 2019 By Mark Buckwell 3 min read

This is the second installment in a multipart series about data encryption. Be sure to read part one for the full story.

Now that we understand the common threats facing organizations and how to select the right solution for data-at-rest encryption (DaRE), what’s the next step in your data encryption journey?

Encrypting data is the relatively easy part of the solution, but securely managing keys is a major challenge. According to the National Institute of Standards and Technology (NIST), “Keys are analogous to the combination of a safe. If an adversary knows the combination, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms.”

DaRE needs more than software to encrypt data, because the keys still need to be managed. Let’s dive deeper into the key management challenge, the core components needed to manage keys effectively and the open standards security teams should use in their cloud environments.

The Encryption Key Management Challenge

In DaRE solutions, symmetric encryption is used for speed, and the same key is used to encrypt and decrypt the data. The security of the system relies on the encryption key being kept secret. Most organizations now encrypt disks within a laptop. To start the decrypting process, a password must be entered manually, which is impractical for cloud environments with thousands of servers.

If the data is being decrypted after a system has started, the encryption software can use a secret key stored locally on the server, which will be in an obscured format that can be decoded. The risk here is that a privileged insider or threat actor could potentially decode the key and decrypt the data. Therefore, security teams need a way to protect their encryption keys.

Unscrambling the Encryption Solution Components

A typical cloud encryption solution has three core components: an encryption client, a key management server (KMS) and a hardware security module (HSM).

The encryption client performs the actual encryption using a data encryption key (DEK). Since it needs to be stored encrypted, the DEK itself is obscured using a key encryption key (KEK).

The KEK is obtained from a KMS, which contains many hundreds or thousands of keys in a database. Once again, the KEKs need to be encrypted using a master encryption key (MEK) because there is a risk that the KMS could be compromised. The MEK is stored in the HSM, which enables the security team to store a key in hardware that physically prevents tampering or loss of the MEK.

Creating an Open Encryption Solution

In the past, encryption solutions have been built around proprietary protocols, making integration difficult. That’s why OASIS defined a set of standards to improve interoperability between encryption and key management solutions from different vendors.

Over the past few years, vendors have increasingly adopted standard protocols for communication between the KMS and HSM, such as OASIS PKCS#11, as well as communication between the encryption client and the KSM, such as the OASIS KMIP protocol. Look for solutions that use these standards when putting together your encryption strategy.

Encryption Solutions Are Maturing

With a standard set of components that support open standards, encryption technology is gradually maturing to make implementation and encryption key management easier. In cloud environments, these components are often available in a lower-cost implementation known as bring-your-own-key (BYOK), which integrates with supported DaRE solutions. These solutions are now reaching high levels of assurance with HSMs offering FIPS 140-2 Level 4 in the cloud.

Depending on your needs, you can develop encryption solutions based on open standards from components you build and run yourself or source them as managed services from cloud providers.

More from Data Protection

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

Cost of data breaches: The business case for security AI and automation

3 min read - As Yogi Berra said, “It’s déjà vu all over again.” If the idea of the global average costs of data breaches rising year over year feels like more of the same, that's because it is. Data protection solutions get better, but so do threat actors. The other broken record is the underuse or misuse of technologies that can help safeguard data, such as artificial intelligence and automation.IBM’s 2024 Cost of a Data Breach (CODB) Report studied 604 organizations across 17…

Cost of a data breach: The industrial sector

2 min read - Industrial organizations recently received a report card on their performance regarding data breach costs. And there’s plenty of room for improvement.According to the 2024 IBM Cost of a Data Breach (CODB) report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.These figures place the industrial sector in third place for breach costs among the 17 industries studied. On average, data breaches cost industrial…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today