Securing the Key to Microsoft’s Kingdom: Enterprise Key Management Best Practices

At the tail-end of 11th July, Tuesday, Microsoft exposed and halted an intrusion campaign [source] by a China-based hacker group — identified as “Storm-0558”—that breached an undisclosed number of email accounts linked to around 25 organizations, including at least two U.S. government agencies.

This is the second time in a little under two months that Microsoft has gone public with accusations of coordinated cyber espionage campaigns.

An obvious question here is—if hackers do not shy away from going after the flag bearers of privacy and security, such as Microsoft, what makes you think they won’t go after your business?

The question further leads to the discussion: are you making the same security mistakes as Microsoft?

Keys Lost, Vulnerability Found

What makes the Microsoft breach unique is how the attackers used a cryptographic key to generate their authentication tokens. They stole a key that Microsoft cloud services use to sign tokens for consumer-grade users. The group then exploited a bug in their token validation system to sign the tokens with the stolen key—allowing them to access enterprise-grade systems without being detected.

Can such incidents be avoided? The answer is, yes—with some basic enterprise key management best practices.

Enterprise Key Management: Top Five Best Practices

According to a recent report [source], the need to take control of data security and not rely entirely upon cloud providers is taking hold among many enterprises—and we couldn’t agree more. Enterprise key managers are emerging as an imperative for businesses to strengthen their control over cloud and SaaS data. “My data, my encryption key” is the mantra.

To that end, if your organization is contemplating deploying an enterprise key manager, let’s look at the top five enterprise key management best practices:

1. Centralization of key management system (KMS)

Most encryption solutions come with their own vendor/product-specific proprietary key management system— where each key may belong to a different data storage device. Others may belong to apps with native encryption. This leads to a setup where devices that are already siloed from one another drift further apart due to tools that don’t stitch together.

Such ecosystems require extensive and often manual efforts to deliver vital key management activities essential for uninterrupted data availability, obligatory reporting & auditing functionality, and business continuity.

A centralized KMS provides a single pane of glass for components, protocols, standards, implementation choices, policies, and support for all key management functionalities—facilitating lower TCO while enhancing its security controls and its overall security posture and policy governance. Users get:

• Unified monitoring and management of key lifecycle
• Centralized logging and reporting.
• High availability and rapid scalability
• Direct system administration and role-based user access control
• Directory services and identity management infrastructure integration

2. Nothing less than FIPS 140-2 Level 3 grade security for Key storage

Almost 60% of total malware attacks in 2022 were sent using encrypted traffic [source]. Since cybercriminals frequently seek encryption keys, implementing a hardware security module (HSM) to store these keys securely is an absolute no-brainer.

An HSM, is a dedicated, standards-compliant cryptographic device designed to protect sensitive data in transit, at rest and in use by leveraging physical security measures, logical security controls, and strong encryption.

HSMs generate and store the cryptographic keys in a secure cryptographic appliance—a more secure methodology than relying solely on software. Upon receiving information from a trusted connection, an HSM lets safe and quick encryption or decryption of that data using the appropriate key—keeping the data confidentiality and integrity intact.

FIPS 140-2 is the standard used by the United States government to validate that cryptographic modules and solutions produced by private sector companies meet the NIST standards and adhere to the Federal Information Security Management Act of 2002 (FISMA).

For a cryptographic module to meet Level 3 of the FIPS 140-2 standards, it must be tested and meet FIPS 140-2 standards on four levels.

• Intrusion Prevention
• Identity-Based Authentication
• Physical or Logical Separation
• Operating System Requirements

FIPS compliance is also recognized around the world as one of the best ways to ensure cryptographic modules are secure.

3. Robust API driven Integrations

Most organizations leverage multiple clouds, tools, and data services. To interwind the features and capabilities of these tools, the encryption mechanism you deploy must be compatible to work with them.

But can you count on third-party connectors for such intricate integrations? Will they understand your systems well enough? And most importantly, can you trust them with your data?

What you need from your Key Management platform are native integrations—a mode of integrating platforms through APIs. APIs are vital as they facilitate communication between different software systems, enabling them to work together seamlessly. This way, users can benefit from all their systems working in unison, irrespective of how many tools they are using.

4. Keep keys away from encrypted data

As cloud computing advances, so does the importance of regional regulatory requirements in cloud migration and workload management in public cloud environments.

Consider a scenario where an organization wants to use a cloud-based storage in a different country but is not willing to have the cloud service provider (CSP) access to encryption keys for all their stored data.

Or the banking sector, for instance, requires having the keys for each country-specific data set in the respective country under the control of that country's citizens.

Apart from a regulatory and privacy standpoint, keeping encrypted data alongside the key makes your data more susceptible, wherein a hacker can take control of your entire data with a single attack.

Remember the Capital One breach? In 2019, a former AWS employee downloaded more than 100 million Capital One credit card customer records stored on AWS—through encryption keys she found on the AWS server.

Strong encryption failed by poor security controls.

5. Clear understanding of the encryption key lifecycle

Hackers don’t break encryption; they find the keys. Even the most effective keys are not meant to last forever. Encryption algorithms may eventually weaken, posing a higher risk of security compromise.

Effective encryption key management involves comprehending the various stages of key lifecycle management and determining the appropriate frequency of key rotation. It is essential to understand these phases to implement proper encryption key management.

During the rotation process, it is crucial to ensure that a new algorithm is fully prepared before retiring an old algorithm. Third-party encryption key management providers often include secure rotation services to ensure data isn’t exposed during the rotation process. Third-party encryption key management providers often offer secure rotation services to guarantee the protection of data during the rotation process—preventing any potential exposure of data during the key rotation phase.

How to Get Started

Fortunately, you don't have to reinvent the wheel when it comes to enterprise key management. Fortanix is designed to keep cryptographic keys safe even in some of the most vulnerable situations.

The Fortanix solution seamlessly integrates with hybrid and multicloud key management services to enable organizations to centrally manage the lifecycle of all keys from a single interface—whether these keys are used on-premises or in the cloud.

Encryption keys are always under organizations' control and can be stored on highly secure, FIPS 140-2 level 3-certified HSMs. This multicloud SaaS key management solution offers Bring Your Own Key (BYOK) and Bring Your Own Key Management Service (BYOKMS), allowing organizations to segregate their keys from the data.

To learn more about our industry-leading enterprise key management solution, you can speak to our experts, or take a free trial.