Townsend Security Data Privacy Blog

3 Questions from Encryption Key Management Simplified

Posted by Luke Probasco on Jun 21, 2011 12:38:00 PM

encryption key management simplifiedLast week we hosted a well-attended webinar titled "Encryption Key Management Simplified - Removing Complexity and Cost."  The focus was on meeting compliance regulations for managing encryption keys and that it doesn't need to be complex or costly - as long as you are using the correct tools.  Patrick Townsend, founder and CTO, received a lot of great questions during the webinar and wanted to share a few of them in our blog.  If you missed the webinar and would like to view it now, click here.

My PCI auditor told me that I need to separate my encryption keys from sensitive data.  Will a key management solution help with this?

Yes.  Absolutely.  That is typically what auditors expect you to do - to use a key management solution to separate the keys from the data that they protect.  So, within the PCI DSS world, for example, there are the concepts of dual control and separation of duties.  You accomplish separation of duties through procedural controls after you deploy a key management server.  You will find references in the navigation guide for PCI DSS around proper encryption key management.  There is a clear recommendation in Section 3 of the PCI DSS that people use professional encryption key management solutions and Alliance Key Manager is exactly that kind of solution.  By the way, it is just impossible on any platform to achieve best practices for key management by having the encryption keys on the same platform as the protected data - whether it is an IBM AS/400 where you have a security officer who has all control, or Windows with an Administrator Account that has high authority, or Linux and UNIX where you have root authority users.  It's just not possible to practically achieve they type of separation of duties and dual control that you need.  In almost all cases, Compliance Auditors are really looking to find proper key management and systems in place like Alliance Key Manager to meet that requirement.

On the IBM i, IBM has implemented a key store.  Why wouldn't I just use the IBM key store?

Well, the IBM i key store is, as it's name implies, is not an encryption key management system at all.  It's a place to store encryption keys.  I think like any platform where you have one or more very highly authorized users you have the problem of achieving dual control and separation of duties.  I'm not picking on the IBM i platform here, I think that platform has generally speaking good security, but you cannot achieve dual control or separation of duties on that platform.  Not only does the security administrator have all authority to any database and the key store, but also any user with All Object Authority has the same level of security.  In a typical IBM AS/400 shop, there are a lot of people who have that authority.  So the key store on the IBM i platform just won't give you the ability to achieve these compliance requirements for separation of duties and dual control.  You really need to deploy a solution that is specifically designed to manage keys through the entire life cycle.

How do you keep system administrators from getting at the data and the keys at the same time?

Through the use of an encryption key management system, you would have a security administrator responsible for creating encryption keys, and a different database administrator responsible for granting access and setting up tables and that person would have access to the data.  But if the data is encrypted properly, and you are using proper encryption key management techniques, that database administrator will not have encryption keys and the encryption key management administrator will not have data access.  This is the whole concept of separation of duties - that you have different people.  To achieve that kind of compliance or security architecture, it means you have to have technology and procedure controls around this deployment.  So you have to have some people who are responsible for the data who never see encryption keys and some people who are responsible for encryption keys who never see data - so there is a combination of technologies and procedures that are required.  If you don't have the right technology, then you can't prevent these two from interacting - so that is why encryption key management is such an important part of a data protection strategy.  You really need to be able to have that separation of duties to achieve that.

To view the webinar "Encryption Key Management Simplified - Removing Complexity and Cost" in it's entirety, click here and be sure to let us know if you have any further questions.

  Click me

Topics: Encryption Key Management