HPE tinker

Fortanix Teams with HPE and NVIDIA to Embed Confidential Computing in AI Factories

Read Press Release

Most Enterprises Are Managing Keys Wrong and Paying Millions for It

Nishank
Nishank Vaish
Dec 9, 2025
4 mins
Share this post:
proper-way-of-enterprise-key-management

Most organizations aren’t failing at encryption; they’re failing at managing keys.

When encryption keys are scattered across cloud accounts, apps, containers and legacy systems, they become much easier to lose, harder to audit, and extremely expensive to fix if and when something goes wrong.

Why do enterprises keep mishandling cryptographic keys? And what does it cost them? Here, we’ll look at what “secure enterprise keys” really mean in practice and the best ways to manage keys in today’s hybrid, multi-cloud, and fast-moving environments.

We’ll also briefly cover how upcoming post-quantum encryption standards introduce new urgency.

You’ll learn:

  • Why enterprises fail at managing keys
  • What defines secure enterprise keys, beyond encryption itself
  • Why hybrid cloud growth makes key mismanagement worse
  • How to prepare for the future impact of post-quantum cryptography
  • Simple ways to start improving key lifecycle management today

Let’s get started.

Why Are Most Enterprises Managing Keys Wrong?

The primary mistake isn’t that teams don’t encrypt data. It’s that they treat keys as afterthoughts. Keys are created and stored everywhere: in cloud KMS services, code repositories, CI/CD tooling, identity systems, Kubernetes secrets, SaaS apps, HSMs, and even developer laptops. Most organizations don’t realize how many keys they have out there or whether those keys are secure.

Organizations with consistent key management set themselves up for significant cost savings during a breach, due to faster response, fewer exposures, and better access control. Yet most teams still rush to key creation into application builds, often with default settings, short-term goals, or no lifecycle strategy at all.

The real reason key management fails? Unlike encryption algorithms, key handling is:

  • Operational, not just mathematical
  • Impacted by developer workflow shortcuts
  • Dependent on infrastructure sprawl
  • Harder to centralize as the business grows

You can deploy perfect encryption and still leave the door open if the keys behind it are weak, unmanaged, or misplaced.

What Does It Mean to Have Secure Enterprise Keys?

To fully secure enterprise keys, organizations must treat them as critical assets. They can’t be byproducts from encryption libraries. That means keys must be:

  • Generated through trusted sources (not ad-hoc code or cloud defaults)
  • Stored in hardened systems like HSMs or KMS platforms
  • Controlled with strict access policies and monitoring
  • Rotated regularly and automatically
  • Tracked across every environment where they are used
  • Retired or destroyed when no longer needed

Most enterprises lack visibility across that entire lifecycle. This is particularly true as enterprises lean into AI factories, where keys can be used to protect storage systems, Kubernetes, and AI workloads in a single platform.

The foundational point: the more systems generate and consume keys, the more centralized and secure the lifecycle must be.

Cloud and Hybrid Architectures Make Managing Keys More Complex

Hybrid cloud growth has made secure enterprise keys harder to manage. Public clouds offer strong encryption tools, but the providers don’t address the most critical question: Who owns and controls the keys?

That’s still on the enterprise.

Common mistakes in cloud key handling include:

  • Assuming cloud KMS tools are enough on their own
  • Letting different teams create cryptographic material in isolation
  • Leaving expired keys in use because rotation will break something
  • Allowing apps to “store local secrets temporarily” (which becomes permanent)

Modern applications often contain thousands of keys without a single source of truth, and the majority of cloud security failures stem from incorrect identity and key management, not attacks on the cloud itself.

In other words, breaches don’t happen because encryption breaks. It’s usually because keys are easy to find or misuse.

Why Post-Quantum Cryptography Forces Enterprises to Rethink Key Management?

Most organizations don’t yet feel the pressure of post-quantum cryptography (PQC). But they will soon, and not because algorithms fail overnight. It’s because migration will take years. Crypto transitions need to be thought of as operational challenges, not instant upgrades.

Larger PQC keys, new standards, and longer signature operations will place more demand on key lifecycle planning. Legacy HSMs, fragmented cloud keys, and unknown certificates will make migration complicated.

The biggest roadblock to PQC isn’t math. It’s the inventory.

Think about it: If an organization can’t locate all its keys, certificates, and algorithm dependencies today, it simply can’t migrate safely later. This is why the first step must be understanding what already exists.

In this vein, Fortanix Key Insight identifies where keys live and what algorithms they rely on (useful before PQC planning), while Data Security Manager (DSM) supports crypto-agility and future algorithm transitions without rewriting applications from the ground up.

Ultimately, they support cryptographic lifecycle management across multiple systems, including Kubernetes, storage and various workloads, making transitions feasible.

What Are the Best Ways to Manage Keys at an Enterprise Scale?

Every organization has a different infrastructure, but the best ways to manage keys consistently follow a predictable set of principles:

  • Centralize key generation and storage (don’t let apps make their own keys)
  • Implement strict separation between key storage and application logic
  • Use role-based and attribute-based access control for cryptographic operations
  • Rotate keys automatically and at regular intervals
  • Audit key usage through logs, discovery tools and lifecycle tracking
  • Test rotation and revocation as business-critical operations—not optional tasks
  • Ensure cloud keys and on-prem keys are governed under the same policy framework

Doing key lifecycle management correctly often requires a change in mindset. Keys aren’t “cryptographic tools.” They’re business assets with expiration dates. With this in mind, they should be treated the way you treat identity credentials, infrastructure access, or privileged passwords.

Don’t Let Key Mismanagement Hold You Down

Most companies don’t lose data because encryption fails; they lose it because they never took managing keys seriously. Keys are generated everywhere, but they’re tracked nowhere and governed inconsistently across cloud, on-prem and SaaS systems. That creates million-dollar risks that are entirely preventable.

To secure keys at enterprise scale, organizations must:

  • Treat keys as first-class security assets
  • Centralize lifecycle controls
  • Prepare now for PQC transitions
  • Invest in visibility before modernizing encryption

If your team is reevaluating how to secure enterprise keys or preparing for PQC adoption, you can request a live demo of Fortanix DSM or explore how Key Insight helps organizations discover cryptographic assets before modernizing their strategy.

2024-buyers-guide
Share this post:

Platform

Fortanix Armor

Armet AI

NEW

Key Insight

Data Security Manager

Confidential Computing Manager

Open Source Platform

Enclave Development Platform®

Solutions

Use Cases

Legacy to Cloud Infrastructure Migration

Regulatory Compliance

Post-Quantum Readiness

Secure, Data-Driven Innovation

Company

About Us

Partners

Careers

Confidential Computing

University

Blog

FAQ

Contact Us

Awards

Events

Webinars

Press

News

Services

Media Kit

Newsletters

Customers

Resources

Support

Fortanix-logo

4.6

star-ratingsgartner-logo

As of August 2025

SOCISOPCI DSS CompliantFIPSGartner Logo

US

Europe

India

Singapore

4500 Great America Parkway, Ste. 270
Santa Clara, CA 95054

+1 408-214 - 4760|info@fortanix.com

High Tech Campus 5,
5656 AE Eindhoven, The Netherlands

+31850608282

UrbanVault 460,First Floor,C S TOWERS,17th Cross Rd, 4th Sector,HSR Layout, Bengaluru,Karnataka 560102

+91 080-41749241

T30 Cecil St. #19-08 Prudential Tower,Singapore 049712