FREE ELECTRONIC LIBRARY - Books, dissertations, abstract

Pages:   || 2 | 3 |

«Version 1.0 Released: September 13, 2012 Securosis, L.L.C. Securosis, L.L.C. Author’s Note The content in this report was ...»

-- [ Page 1 ] --

Pragmatic Key Management for

Data Encryption

Version 1.0

Released: September 13, 2012

Securosis, L.L.C. http://securosis.com

Securosis, L.L.C.

Author’s Note

The content in this report was developed independently of any sponsors. It is based on material originally posted on the

Securosis blog but has been enhanced and professionally edited.

Special thanks to Chris Pepper for editing and content support.

Licensed by Thales e-Security

Thales e-Security is a leading global provider of data protection solutions – delivering high assurance data encryption and key management solutions to the financial services, manufacturing, government, retail, healthcare, and technology sectors.  The company has a 40-year track record of protecting sensitive corporate and government information across a wide range of technology areas including PKI, credential management, payment processing, network encryption, and many more.  Thales e-Security solutions reduce the cost and complexity associated with the use of cryptography in today’s traditional, virtualized, and cloud-based infrastructures, helping organizations reduce risk, demonstrate compliance, enhance agility, and pursue strategic goals with greater confidence. The company is represented in over 90 countries around the world.  For more information, visit www.thales-esecurity.com.  Copyright This report is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 license.

http://creativecommons.org/licenses/by-nc-nd/3.0/us/ Pragmatic Key Management for Data Encryption Securosis, L.L.C.

Table of Contents Introduction 2 The historic pain of key management Why key management isn’t as hard as you think it is The new business drivers for encryption and key management Key management isn’t just about data encryption (but that’s our focus here) Understanding Data Encryption Systems 5 The three components of a data encryption system Building a data encryption system The Four Key Management Strategies 8 The differences between key management and encryption operations Local key management Application stack key management Silo key management Enterprise key management Choosing Your Key Management Strategy 12 Who We Are 15 About the Author About Securosis Pragmatic Key Management for Data Encryption 1 Securosis, L.L.C.

Introduction Few terms strike as much dread in the hearts of security professionals as key management. Those two simple words evoke painful memories of massive PKI failures, with millions spent to send encrypted email to the person in the adjacent cube. Or perhaps it recalls the head-splitting migraine you got when assigned to reconcile incompatible proprietary implementations of a single encryption standard. Or memories of half-baked product implementations that worked fine in isolation on a single system, but were effectively impossible to manage at scale. And by scale, I mean “more than one”.

Over the years key management has mostly been a difficult and complex process. This has been aggravated by the recent resurgence in data encryption – driven by regulatory compliance, cloud computing, mobility, and fundamental security needs.

Fortunately, encryption today is not the encryption of yesteryear. New techniques and tools remove much of the historical pain of key management – while also supporting new and innovative uses.

We also see a change in how organizations approach key management – a move toward practical and lightweight solutions.

In this paper we will explore the latest approaches for pragmatic key management. We will start with the fundamentals of crypto systems rather than encryption algorithms, what they mean for enterprise deployment, and how to select a strategy that suits your particular project requirements.

The historic pain of key management Technically there is no reason key management needs to be as hard as it has been. A key is little more than a blob of text to store and exchange as needed. The problem is that everyone implements their own methods of storing, using, and exchanging keys. No two systems worked exactly alike, and many encryption implementations and products didn’t include the features needed to use encryption in the real world – and still don’t.

Many products with encryption features supported only their own proprietary key management – which often failed to meet enterprise requirements in key management lifecycle areas such as key generation, rotation, storage, backup, and destruction or important security and compliance needs like separation of duties and reporting. Encryption is featured in many different types of products but developers who plug an encryption library into an existing tool have (historically) rarely had enough experience in key management to produce refined, easy to use, and effective systems.

On the other hand, some security professionals remember early failed PKI deployments that cost millions and provided little value. This was at the opposite end of the spectrum – key management deployed for its own sake, without thought given to how the keys and certificates would be used or even what they would be protecting.

Pragmatic Key Management for Encryption 2 Securosis, L.L.C.

Why key management isn’t as hard as you think it is As with most technologies, key management has advanced significantly since those days. Current tools and strategies offer a spectrum of possibilities, all far better standardized and with much more robust management capabilities.

We no longer have to deploy key management with an all-or-nothing approach, either relying completely on local management or on an enterprise-wide deployment. Increased standardization (potentially powered in part by KMIP, the Key Management Interoperability Protocol) and improved, enterprise-class key management tools make it much easier to fit deployments to requirements.

Products that implement data encryption now tend to include better management features, with increased support for external key management systems when those features are insufficient. We now have smoother migration paths which support a much broader range of scenarios.

I am not saying life is now perfect. There are plenty of products that still rely on poorly implemented key management and don’t support standards or other ways of integrating with external key managers, but fortunately they are slowly dying off or being fixed due to constant customer pressure. Additionally, dedicated key managers often support a range of nonstandards-based integration options for those laggards.

It isn’t always great, but it is much easier to mange keys now than even a few years ago.

The new business drivers for encryption and key management These advances are driven by increasing customer use of, and demand for, data encryption. We can trace this back to 3

primary drivers:

–  –  –

More enforcement of more regulations, increasing use of outsiders to manage our data, and increasing awareness of data loss problems, are all combining to produce the greatest growth the encryption market has seen in a long time.

Key management isn’t just about data encryption (but that’s our focus here) Before we delve into how to manage keys, it is important to remember that cryptographic keys are used for more than just encryption, and that there are many different kinds of encryption.

–  –  –

Our focus in this report is on data encryption – not digital signing, authentication, identity verification, or other crypto operations (although many of these issues apply to any implementation of key management). We will not spend much time on digital certificates, certificate authorities, or other signature-based operations. Instead we will focus on data encryption, which is only one area of cryptography.

Much of what we see is as much a philosophical change as improvement in particular tools or techniques. I have long been bothered by people’s tendency to either indulge in encryption idealism at one end, and or dive into low-level details that don’t practically affect security at the other end – both reinforced by our field’s long-running ties to cryptography. But with the new pressures to encrypt more information in more places (while keeping auditors happy), we are finally seeing much more focus on pragmatic implementation.

Next we will cover the major components of an encryption system, and how they affect key management options. We will follow up with the four major key management strategies, and suggestions for how to pick the right one for your requirements.

–  –  –

Understanding Data Encryption Systems One of the common problems in working with encryption is getting caught up with the intimate details of things like encryption algorithms, key lengths, cipher modes, and other minutiae. Not that these details aren’t important – depending on what you’re doing they might be critical – but in the larger scheme of things these aren’t the aspects most likely to trip up your implementation. Before we get into different key management strategies, let’s take a moment to look at crypto systems at the macro level. We will stick to data encryption for this paper, but these principles apply to other types of cryptosystems as well.

The three components of a data encryption system

Three major components define the overall structure of an encryption system:

–  –  –

In a basic encryption system all three components are likely located on the same system. Take personal full disk encryption (the default you might use on your home Windows PC or Mac) – the encryption key, data, and engine are all kept and run on the same hardware. Lose that hardware and you lose the key and data – and the engine, but that isn’t normally relevant.

But once we get into SMB and the enterprise we tend to split out the components for security, management, reliability, and compliance.

Building a data encryption system Where you place these components defines the structure, security, and manageability of your encryption system. Here

are a few common examples:

Full Disk Encryption Our full disk encryption example above isn’t the sort of approach you would want to take for an organization of any size greater than 1. All major FDE systems do a good job of protecting the key if the device is lost, so we aren’t worried about

–  –  –

security too much from that perspective, but managing the key on the local system means the system is much less manageable and reliable than if all the FDE keys are stored together.

Enterprise-class FDE manages the keys centrally – even if they are also stored locally – to enable a host of more advanced functions; including better recovery options, audit and compliance, and the ability to manage hundreds of thousands of systems.

Database encryption Let’s consider another example: database encryption. By default, all database management systems (DBMS) that support encryption do so with the data, the key, and the encryption engine all within the DBMS. But you can mix and match those components to satisfy different requirements.

The most common alternative is to pull the key out of the DBMS and store it in an external key manager or HSM (Hardware Security Module). This can protect the key from compromise of the DBMS itself, and increases separation of duties and security. It also reduces the likelihood of lost keys and enables extensive management capabilities – including easier key rotation, expiration, and auditing.

But the key could be exposed to someone on the DBMS host itself because it must be stored in memory before it can be used to encrypt or decrypt. One way to protect against this is to pull both the encryption engine and key out of the DBMS. This could be handled through an external proxy, but more often custom code is developed to send the data to an external encryption server or appliance. Of course this adds complexity and latency.

–  –  –

Backup and storage encryption Many backup systems today include some sort of an encryption option, but the implementations typically offer only the most basic key management. Backup up in one location and restoring in another may be a difficult prospect if the key is stored only in the backup system.

–  –  –

Pages:   || 2 | 3 |

Similar works:

«World Health Organization World Organisation for Animal Health WHO/OIE Manual on Echinococcosis in Humans and Animals: a Public Health Problem of Global Concern Edited by J. Eckert, M.A. Gemmell, F.-X. Meslin and Z.S. Pawłowski • • Aetiology Geographic distribution • • Echinococcosis in humans Surveillance • • Echinococcosis in animals Epidemiology • • Diagnosis Control • • Treatment Prevention • • Ethical aspects Methods Cover image: Echinococcus granulosus Courtesy of...»

«Aus dem Institut für Pathologie der Universität Würzburg Vorstand: Professor Dr. H. K. Müller-Hermelink Ein zytogenetisches Profil diffuser grosszelliger B-Zell Lymphome: Der Einfluss von Lokalisation und zellulärer Differenzierung Inaugural Dissertation zur Erlangung der Doktorwürde der Medizinischen Fakultät der Bayerischen Julius-Maximilians-Universität zu Würzburg vorgelegt von Philipp Singler aus Burghausen Würzburg, April 2007 Aus dem Institut für Pathologie der Universität...»

«Osteopathische Medizin Thema 2002/4 11.05.09 20:52 Osteopathische Medizin Thema Heft 4 Osteopathische Medizin Zeitschrift für ganzheitliche Verfahren ISSN 1615-9071 Gegründet 2000 Format: 210 mm x 297 mm Kurztitel: Osteopath. Med. Zurück zur Startseite Osteopathische Medizin Info-Service Themenarchiv Heft 4 Thema Autonomie der Viszera und ihre Konsequenzen für die osteopathische Praxis Jérôme Helsmoortel, Thomas Hirth, Peter Wührl Abstract Organs are capable of stabilising their own...»

«Malaysian Spetzler-Martin Grading System Sciences Vol. 6(1) of Patients with91–99 Journal of Medicine and Health and Management January 2010: Intracranial AVM 91 The Spetzler-Martin Grading System and Management of Patients with Intracranial Arteriovenous Malformation in a Tertiary Referral Hospital SA Al-Edrus, 1SN Suhaimi, 2AR Noor Azman, 3AZ Latif & 4 M Sobri Department of Imaging, Faculty of Medicine and Health Sciences Universiti Putra Malaysia,Serdang, Selangor, Malaysia Department of...»

«CALIFORNIA DEPARTMENT OF PESTICIDE REGULATION PUBLIC REPORT 2004-4 Pyraflufen-ethyl Tracking ID Number 201510 N DESCRIPTION OF ACTION Nichino America, Inc. submitted an application seeking California registration of ET Herbicide/Defoliant, U.S. EPA Reg. No. 71711-7, for use as a defoliant/desiccant in cotton and potatoes, and to control certain broad-leaf weeds in various agricultural crops. This product contains the new active ingredient pyraflufen-ethyl. The Department of Pesticide Regulation...»

«elan elan1100 Handbuch CARDIOLINE® elan elan1100 Digitaler 12-Kanal Elektrokardiograf Ed. 1.0 10/02 Ed. 1.1 03/03 Ed. 1.2 01/04 Ed. 1.3 03/05 Ed. 2.0 07/05 Ed. 2.1 11/05 Ed. 2.2 05/06 Ed. 2.3 06/06 Ed. 2.4 11/06 Ed. 3.0 01/07 Ed. 3.1 09/07 Kod. 36519136 Alle Rechte vorbehalten. Nachdruck, auch auszugsweise, ist ebenso wie die Aufnahme in einem Abfragesystem oder Übernahme in welcher Form oder auf welche Art und Weise auch immer, ohne die vorherige schriftliche Genehmigung von et medical...»

«North Carolina Department of Health and Human Services | Division of Social Services Plan for Emancipation from Foster Care Custody Emancipation plans are developed with youth who will be emancipated from foster care within the next 90 days, either because they will have achieved the age of majority (age 18) or because they will be legally emancipated prior to the age of 18 (as outlined under N.C.G.S. § 7B-3500). The original signed document shall be given to the emancipating youth. A copy of...»

«Aus der Transfusionsmedizinischen und Hämostaseologischen Abteilung (Leiter: Prof. Dr. R. Eckstein) in der Chirurgischen Klinik der Friedrich-Alexander-Universität Erlangen Nürnberg (Direktor: Prof. Dr. W. Hohenberger) Die Wirkung von Paracetamol und Parecoxib auf die in vitro Thrombozytenfunktion Inaugural-Dissertation zur Erlangung der Doktorwürde der Medizinischen Fakultät der Friedrich-Alexander-Universität Erlangen-Nürnberg vorgelegt von Nilofar Huzurudin aus Kabul Erlangen, im...»

«Emergency Support Function #8 – Public Health and Medical Services Annex ESF Coordinator: Support Agencies: Department of Health and Human Services Department of Agriculture Department of Commerce Department of Defense Primary Agency: Department of Energy Department of Homeland Security Department of Health and Human Services Department of the Interior Department of Justice Department of Labor Department of State Department of Transportation Department of Veterans Affairs Environmental...»

«Journal of Gender Studies, Vol. 10, No. 3, 2001 Transgender Theory and Embodiment: the risk of racial marginalisation KATRINA ROEN Queer theories have received criticism for their ethnocentrism and their lack of careful ABSTRACT attention to the lived realities of transsexual and transgendered people. A forum is being established through the publication of transgender theorists’ work, where transgender theorists may rework ‘queer’, but how well does this reworking address concerns about...»

<<  HOME   |    CONTACTS
2016 www.book.dislib.info - Free e-library - Books, dissertations, abstract

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.