Encryption is rightly recognized as an important tool for protecting data, with its adoption increasing rapidly due to privacy regulations such as GDPR and the growing prevalence of cyber theft and extortion.
When used properly, encryption can provide almost perfect security – but there's the catch: "when used properly"!
Employing encryption can create several potential pitfalls, the most notable being the challenge of managing an ever-growing number of encryption keys. Every time you encrypt data, you need an encryption key. This key is used to encrypt and decrypt the data. An attacker cannot decrypt the data without the key. The key effectively has the same value as the data and must be protected at all costs.
We have effectively transformed one problem (protecting data) into a different problem (protecting keys). This is where "key management" comes in, i.e., protecting keys and managing their use throughout their lifetime.
Organizations that do not recognize the importance of good key management are opening themselves to a whole world of pain!
When organizations start to adopt encryption methods, it is primarily in response to immediate security concerns or compliance. As a result, they focus on quickly implementing cryptographic algorithms to secure their data without giving enough thought to something equally important, i.e., key management.
Because of the complexity of using encryption algorithms, organizations invest substantial time and resources in understanding and implementing them, leaving limited attention to other aspects, such as managing and controlling the encryption keys.
Since encryption algorithms are the primary tools for data protection, organizations believe that mastering these algorithms is sufficient to ensure data security.
Which is why key management takes second place. It is perceived as a secondary concern compared to encryption algorithms.
From One Key to Many
Organizations often start with key management basics and then transition to using multiple encryption keys. As data and systems become more complex, using a single encryption key for all data can create a single point of failure. Multiple keys can distribute the workload and minimize the risks.
Organizations can revoke specific keys without affecting other system parts if they suspect a compromise or when personnel changes occur.
Multiple encryption keys can enable more granular access control, following the principle of least privilege, ensuring compliance.
However, as the use of cryptography increases over time, organizations struggle with key management and control. As a solution, they must increase their key management maturity.
What is Key Management Maturity?
Key management maturity refers to the development, sophistication, and effectiveness of an organization's practices, policies, and procedures for managing cryptographic keys. It measures how well an organization handles its cryptographic keys throughout their lifecycle, from generation and distribution to usage, storage, and disposal.
Introducing the Key Management Maturity Model
Key management capabilities typically evolve from low to medium and eventually to high maturity. We can characterize these three maturity phases as follows:
Low Maturity: The approach is chaotic and unstructured at the low maturity level of key management capabilities. Cryptography users encrypt things independently without any formal process or oversight. They manually create and store keys on personal devices or servers without any control. This lack of organization and visibility poses a high risk of key compromise and data loss.
Medium Maturity: Moving up to the medium maturity level, the key management approach becomes somewhat more organized but still lacks cohesion. Each team or group within an organization follows its own methods for key management. They use their own hardware security modules (HSMs) or key management systems (KMS) and have their own processes for different use cases.
This fragmented approach leads to a lack of visibility, inconsistent results, and increased expenses. This approach doesn't scale well, making it challenging to manage as the organization grows. It also makes it likely to fail an audit because the organization cannot prove its control and the security of the key management infrastructure.
High Maturity: At the high maturity level, key management reaches its optimal state. The approach is centralized, meaning there is a unified system for managing keys across the organization – an "enterprise key management system" This system is scalable. It can handle key management for various current and future use cases.
Backed by highly resilient HSMs, it is efficient and automated; it minimizes the risk of human errors and streamlines operations.
The high maturity level incorporates strong policy-based controls and tracking, ensuring only authorized personnel can handle keys and perform cryptographic operations.
Mature key management is a proven approach to meeting regulatory compliance obligations. This becomes especially important in a complex hybrid or multi-cloud environment, where data may be distributed across various platforms and services.
So where does your organization sit? The following table will help you identify the maturity of your organization's key management processes:
|Low Maturity (manual, chaotic)||Medium Maturity (electronic, fragmented)||High Maturity (centralized, scalable)|
|Key generation/storage||Personal computer / server||Multiple, isolated HSM/KMS||Centralized, scalable KMS+HSM service|
|Key lifecycle management||Little or none||Varies between teams||Consistent, company-wide|
|Key access control||Originator only||RBAC per system||Single RBAC + quorum controls|
|Key policy enforcement||None||Paper-based||User-defined cryptographic policies|
|Key availability||No HA/DR||Variable by use case||Seamless HA/DR|
|Supported use cases||A handful at most||Buy/build as required||Extensive, out-of-the-box (incl. cloud)|
|API support||Little or none||Variable by use case||Standard crypto APIs + REST APIs|
|Crypto agility||Little or none||Variable by use case||Strategic readiness|
|Automation||None||Little or none||Comprehensive (e.g. plugins, Terraform)|
|Result||Little or none||High risk of compromised keys and data loss||Holistic, secure, highly-scalable, enables regulatory compliance|
Organizations typically progress from the low to medium maturity level quickly and naturally, but moving to the highest level requires a coordinated approach and typically depends upon strategic intervention by the CISO.
Unfortunately, remaining at the medium maturity level for an extended period can expose organizations to potential weaknesses and security gaps, leaving sensitive information susceptible to breaches. The inefficiency and high costs associated with this fragmented approach only compound the risks, while the inconsistency in key management practices increases the likelihood of audit failures. Such a fragmented system cannot scale adequately to meet the evolving needs of a growing organization.
Organizations must achieve high maturity in key management by implementing a centralized, scalable, and resilient system backed by HSMs. This will provide the essential foundation to protect data, address diverse use cases, and maintain compliance even in complex hybrid or multi-cloud environments.
Fortanix specializes in providing comprehensive yet easy-to-use key management systems for organizations of all sizes. Available as either on-prem or SaaS, Fortanix Data Security Manager (DSM) integrates KMS, HSM, and other data security functions into a single system that is both scalable and highly resilient.
Further recommended reading on key management: