Between new initiatives like cloud computing, and new mandates due to the continuous onslaught of compliance, managing encryption keys is moving from something only big banks worried about to something popping up among organizations of all sizes and shapes. Whether it is to protect customer data in a new web application or to ensure that a lost backup tape doesn’t force you to file a breach report, more and more organizations are encrypting more data in more places than ever before. And tying all of this together is the ever-present shadow of managing all those keys.

In our Pragmatic Key Management for Data Encryption paper we highlighted some of the sins of the past that made key management painful, but showed how new strategies and tools can cut through those roadblocks to make key management a much more (for lack of a better word) manageable process. In the paper we identified four strategies for data encryption key management:

  • Manage keys locally.
  • Manage keys within a single application stack with a built-in key management feature.
  • Manage keys for a silo using an external key management service/server/appliance, separate from the data and application stacks.
  • Coordinate management of most or all keys across the enterprise with a centralized key management tool.

We called these local, application stack, silo, and enterprise key management.

Of those four strategies, the last two introduce a dedicated tool for key management. This series (and the eventual paper) will dig in to explain the major features and functions of a key manager, what to look for, and how to pick one that best fits your needs.

  • *Why use a key manager?**

Data encryption can be a tricky problem, especially at scale. Actually, all cryptographic operations can be tricky, but to keep our focus we will limit ourselves to encrypting data rather than digital signing, certificate management, and other uses of cryptography. The more diverse your keys, the better your security and granularity, but the higher the complexity. While rudimentary key management is built into a variety of products – including full disk encryption, backup tools, and databases – at some point many security professionals find they need a little more power than what’s embedded in the application stack. Some of the needs include:

  • More robust reporting (especially for compliance).
  • Better administrator monitoring and logging.
  • Flexible options for key rotation and expiration.
  • Management of keys across application components.
  • Stronger security.

Or sometimes, as with custom applications, there isn’t any existing key management to lean on. In these cases it makes sense to start looking at a dedicated key manager. In terms of use cases, some of the sweet spots we’ve found include:

  • Backup encryption, due to a mix of longevity needs and very limited key management implementations in backup products themselves.
  • Database encryption, because most database management systems only include the most rudimentary key management, and rarely the ability to centrally manage keys across different database instances or segregate keys from database administrators.
  • Application encryption, which nearly always relies on a custom encryption implementation and, for security reasons, should separate key management from the application itself.
  • Cloud encryption, due to the high volume of keys and variety of deployment scenarios.

This is just to provide some context – many of you reading this probably already know you need a dedicated key manager. If you want more background on data encryption key management and when to move on to this category of tools you should read our other paper first, then hop back to this one. For the rest of you, the remaining posts in the series will cover technical features, management features, and how to choose between products.