Data Encryption: Simplifying Enterprise Key Management

December 8, 2020
| |
3 min read

Data encryption can help prevent malicious users and rogue processes from taking control of sensitive data. According to the 2020 Cost of a Data Breach report, the use of encryption is a top factor in reducing that cost. But, encrypted data is only as safe as the encryption keys.

The IT or security teams must carefully manage encryption keys throughout the keys’ life cycles. This includes generating, deploying, storing, archiving and deleting keys and rotating, replicating and backing them up. In order to minimize any mismanagement, consider every facet of data encryption — from the encryption method to administration.

More on customer-owned encryption and key management

Data Encryption Includes Key Management

Organizations are embracing cloud services on top of expanding use of data encryption. Because of this, the number of encryption keys is growing. In order to stay on top of key management and reduce the risk of third-party access to keys due to cloud service adoption, you’ll need an enterprise encryption key management strategy. In order to create a streamlined plan, consider the following:

Simplify Key Management With a Single Vendor

In IDC’s 2020 Data Security Survey, respondents say they struggle to manage multiple key management solutions. Sometimes, organizations can simplify their key management by consolidating the number of vendors they use. While it may be difficult to both minimize the number of products and address all key data security use cases, using multiple solutions from the same vendor can at least simplify the process and provide some consistency.

How Multiple Data Encryption Products Can Talk Securely

A single product to rule them all may not exist, but an encryption key manager that supports interoperability protocols is the next best thing. Many devices and applications come with their own native encryption capabilities and local key management. These self-encrypting solutions often support key exchange standards such as the Key Management Interoperability Protocol (KMIP). KMIP key management can help centrally manage data encryption keys from different encryption technologies.

Formerly, a bunch of self-encrypting storage solutions would save their encryption keys in USB drives. That would leave them at risk for being lost or mismanaged. Instead, with key exchange standards you can transfer these keys to a centralized key manager for secure management.

The more you can consolidate, the better, as long as it’s secure. An encryption key manager that supports multiple key exchange standards is better positioned to integrate and communicate with a larger number of third-party key managers. Along with KMIP, Representational State Transfer or REST-based key exchange is another option for consolidating encryption keys within a single key manager.

Hands-Off: Configured Rules and Policies

A key manager capable of automating encryption key life cycle management would ultimately minimize the amount of time the IT and security employees need to get involved. After the initial configuration and beyond typical check-ins and maintenance, the ideal encryption key manager would be low-touch.

This means the key manager should execute critical tasks such as key rotation automatically according to a predefined schedule. The acceptance of encryption-enabled devices can also be automated, so that administrators do not have to manually add devices unless required by internal standards to do so. For entities deploying encryption with multiple data centers across the world, key synchronization can be automated so that keys can always be up-to-date and available.

How to Simplify A Complex Problem

Organizations are looking to protect a growing amount of sensitive data on-premises and in the cloud. Many have chosen to implement data encryption at various layers — in hardware, on files and in applications. This can result in encryption silos with inconsistent approaches to managing encryption keys. A formal key management process is a necessary challenge that can make a big difference.

When planning an enterprise key management strategy, look for a key manager that centralizes, simplifies and automates key lifecycle processes from initialization and activation through rotation and deletion. This should help reduce management overhead and help maintain control over your keys and your data encryption.

Learn about Guardium Key Lifecycle Manager
Cynthia Luu
IBM Security Guardium Product Marketing Manager

Cynthia is currently a product marketing manager for the IBM Security Guardium portfolio, focusing on encryption and key management solutions. She has a back...
read more