The task of deploying encryption key management into your infrastructure to meet security and compliance best practices can be overwhelming at first. To help give you a 'bird's eye view' of the core components of our Alliance Key Manager (AKM), our encryption key management HSM, I want to breakdown the three major components to it. Having this understanding in your back pocket as you roll out AKM can help smooth out the process.
First up, your security team can utilize our AKM Java GUI console to create and manage AES encryption keys for use in your applications. This is a program that you install on a Windows machine that communicates directly with the key server via a secure TLS session. Here, keys can be created, expired, revoked, rolled or even deleted – requirements of PCI DSS and other compliance regulations. You can also define a key access policy for each key that is created, specifying what groups or individuals can request and use it. Alternatively, you can also use our Linux command line facility to completely automate encryption key management through scripting calls.
The second component focuses on your application that's doing encryption and requires access to an external key manager. You’ll need to make some minor coding changes to your application layer to enable it to make API calls to our shared library that does key retrieval portion. To help you succeed here we offer sample code in a variety of programming languages for your development team to work with. All of these samples can be found on the AKM product cd.
If you need Extensible Key Management (EKM) for Microsoft SQL Server 2008 Enterprise Edition and above you can take advantage of Transparent Data Encryption (TDE) or Cell Level Encryption. We see many organizations use TDE and EKM because they can easily implement encryption without changing any of their applications - and can be deployed relatively quickly.
Finally you have the ability to physically manage the key server appliance itself. By using a web browser directed at the IP address of the appliance on your network you can create system and database backups, define mirrored servers, and enable Syslog to meet PCI-DSS and other compliance requirements.
Download our “Encryption Key Management Simplified” resources kit to find more information on meeting PCI DSS and HIPAA, encryption key management best practices, and more.