The amount of data handled by organizations is increasing, and an increasing proportion of this data is sensitive in some way. Whether it's personally identifiable information (PII) protected by GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), HIPAA (Health Insurance Portability and Accountability Act), or other regulations, valuable intellectual property, or other confidential company data, encryption provides protection that renders the data useless if stolen by cybercriminals.
An "encryption key" must be used every time you encrypt data. So, what exactly is an encryption key? The encryption key functions similarly to a password so you can decrypt the data.
As a result, the key gains the same value as the data and must be protected accordingly. As you encrypt more data, you accumulate more encryption keys, and managing them becomes increasingly important.
Best Management Practices
Safe storage
Given the high value of encryption keys, they are an appealing target for cybercriminals, particularly when multiple keys are stored in a similar location. To store keys, it is best to practice using a Hardware Security Module (HSM), which provides strong physical and logical security protection and is validated to the NIST FIPS 140-2 security requirements for cryptographic modules.
Useful Information
Encryption keys should only be used for their deliberate intention. It's best to limit the permissions on each key so that it can only be used for that purpose. If the key must be distributed to another system, various "key block" formats bind the permissions to the key, such as ASC X9 TR-31.
Availability
However, because encryption keys are stored, they must be always available when needed; otherwise, it will be impossible to use any encrypted data. As a result, high availability is an important design consideration. Similarly, keys must be protected against accidental loss, as this will render the data permanently inaccessible; thus, secure backup is an important consideration.
Audit trails
Audit logs should be kept, with a complete history of each data encryption key's creation, usage, and deletion. Every operation should be documented, including information about the action taken, who or what took it, and when it occurred. It is essential not only for compliance audits but also for forensic investigations if a key is ever compromised. Integration with SIEM tools is beneficial for combining multiple logs and additional analysis and reporting.
Processes
To ensure that encryption key management best practices are followed, all key management operations must adhere to strict and well-defined processes. Staff should be properly trained on relevant procedures, and audits should be performed regularly to ensure proper compliance. Processes should be in position to negotiate with the results of a suspected or known compromised key.