This is the second installment in a multipart series about data encryption. Be sure to read part one for the full story.
Now that we understand the common threats facing organizations and how to select the right solution for data-at-rest encryption (DaRE), what’s the next step in your data encryption journey?
Encrypting data is the relatively easy part of the solution, but securely managing keys is a major challenge. According to the National Institute of Standards and Technology (NIST), “Keys are analogous to the combination of a safe. If an adversary knows the combination, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms.”
DaRE needs more than software to encrypt data, because the keys still need to be managed. Let’s dive deeper into the key management challenge, the core components needed to manage keys effectively and the open standards security teams should use in their cloud environments.
The Encryption Key Management Challenge
In DaRE solutions, symmetric encryption is used for speed, and the same key is used to encrypt and decrypt the data. The security of the system relies on the encryption key being kept secret. Most organizations now encrypt disks within a laptop. To start the decrypting process, a password must be entered manually, which is impractical for cloud environments with thousands of servers.
If the data is being decrypted after a system has started, the encryption software can use a secret key stored locally on the server, which will be in an obscured format that can be decoded. The risk here is that a privileged insider or threat actor could potentially decode the key and decrypt the data. Therefore, security teams need a way to protect their encryption keys.
Unscrambling the Encryption Solution Components
A typical cloud encryption solution has three core components: an encryption client, a key management server (KMS) and a hardware security module (HSM).
The encryption client performs the actual encryption using a data encryption key (DEK). Since it needs to be stored encrypted, the DEK itself is obscured using a key encryption key (KEK).
The KEK is obtained from a KMS, which contains many hundreds or thousands of keys in a database. Once again, the KEKs need to be encrypted using a master encryption key (MEK) because there is a risk that the KMS could be compromised. The MEK is stored in the HSM, which enables the security team to store a key in hardware that physically prevents tampering or loss of the MEK.
Creating an Open Encryption Solution
In the past, encryption solutions have been built around proprietary protocols, making integration difficult. That’s why OASIS defined a set of standards to improve interoperability between encryption and key management solutions from different vendors.
Over the past few years, vendors have increasingly adopted standard protocols for communication between the KMS and HSM, such as OASIS PKCS#11, as well as communication between the encryption client and the KSM, such as the OASIS KMIP protocol. Look for solutions that use these standards when putting together your encryption strategy.
Encryption Solutions Are Maturing
With a standard set of components that support open standards, encryption technology is gradually maturing to make implementation and encryption key management easier. In cloud environments, these components are often available in a lower-cost implementation known as bring-your-own-key (BYOK), which integrates with supported DaRE solutions. These solutions are now reaching high levels of assurance with HSMs offering FIPS 140-2 Level 4 in the cloud.
Depending on your needs, you can develop encryption solutions based on open standards from components you build and run yourself or source them as managed services from cloud providers.