Centralizing Data Encryption Keys With Key Management Standards

December 8, 2020
| |
3 min read

Many people already know data encryption can help secure sensitive business data. But, because organizations have adopted it so widely, IT and security teams now must manage growing numbers and types of encryption keys. Each key may belong to a different data storage device with built-in data encryption and database management systems. Others may belong to apps with native encryption. Devices already siloed from one another move even further apart because of tools that don’t work well together. All of these cases make it even more difficult for teams to manage disparate encryption keys for many different data stores from a range of vendors. Disparate management can also put the enterprise’s overall security posture at risk. 

The solution? A central system of encryption key management. This gives admins a cost-effective and efficient way to secure keys. Without it, admins may find it difficult to enforce consistent policies, ensure that encryption keys are managed separately from the encrypted data or address any compliance needs. 

So, how can you manage multiple encryption keys across your business? And, how can you secure them all? 

Centralize control of your data

In order to start on the path to proper key management, you must consider every step. Know the encryption key life cycle and document it along the way. Make sure your enterprise key management system has insight and management into all existing keys. Along with working with the tools you already use, it also needs to be flexible enough to scale and integrate new tools.

Encryption Key Management Best Practices

Several industry standards can help different data encryption systems talk to one another. These make it easier for enterprise users to manage their keys from one, central location. First, using an encryption key manager that supports data encryption standards can make the job of managing keys simpler. That’s because these standards can bring together apps and storage devices with their own encryption.

There are several options in the market today.

Key Management Interoperability Protocol (KMIP) enables encryption solutions and data stores to talk to one another, including apps, databases and storage devices. The KMIP protocol provides streamlined, compatible key management processes for critical key life cycle management tasks. The Organization for the Advancement of Structured Information Standards (OASIS), a nonprofit that promotes open standards, governs this standard. Market-leading security providers and industry experts developed KMIP key management.

Public Key Cryptographic Standard #11 (PKCS#11) was first developed by RSA Security along with external subject matter experts. Now, OASIS maintains it. PKCS#11 is a platform-independent application programming interface (API). It’s designed to connect with cryptographic devices such as USB keys and hardware security modules as security tokens to perform various functions.

While not considered only a key exchange standard, Representational State Transfer (REST) APIs can also help apps integrate and connect with encryption key managers. REST is an architectural style for communication standards between systems. It is emerging as another option to bring together different data encryption tools.

Key Management Standards

Some vendors, such as IBM or Microsoft, provide internal standards when it comes to managing keys. These apply to their respective products, but you may also extend them to third parties. For IBM, the IBM Proprietary Protocol (IPP) is very useful in this case. If your team wants to partner with only a single vendor, the first step may be to understand what tools they can spin up easily.

In conclusion, data is only as secure as the system that manages the encryption keys protecting it. With a central enterprise key management solution, you can protect sensitive enterprise data better. The easiest step along this path is to select an encryption key manager and self-encrypting technology that support popular key standards.

Learn about Guardium Key Lifecycle Manager
Cynthia Luu
IBM Security Guardium Product Marketing Manager

Cynthia is currently a product marketing manager for the IBM Security Guardium portfolio, focusing on encryption and key management solutions. She has a back...
read more