If you're starting an encryption key management project, you should always know the warning signs of obstacles that might make your project way more difficult and costly than it needs to be. We often see companies who have recently failed a data security audit, or realize that they are about to, because they didn't watch out for these pitfalls before they began an encryption key management project.
1. Complicated Project Requiring Outside Consultants and Time
If you find yourself bogged down by hiring outside consultants (beyond your encryption key management vendor) to help you set up and run your encryption key management system, you're probably headed for trouble. Encryption key management should be simple, straightforward, and easy to deploy.
2. No Certifications
NIST certifications are a must when it comes to implementing good encryption key management. In order to meet compliance for PCI-DSS, GLBA/FFIEC, FISMA, and other compliance regulations, always use NIST-certified AES encryption and FIPS 140-2 compliant encryption key management. Your QSA or other data security auditor will look for these certifications.
3. No Client-Side Support
Your encryption key management vendor should supply you with the appropriate client-side applications to make your encryption key management run as smoothly as possible. If you find yourself scrambling to find sample code, binary libraries, key retrieval and other tools, your encryption key management project time will almost certainly increase and not come to a complete halt.
4. No Dual Control and Separation of Duties
When it comes to doing your encryption key management right, one of the critical pieces to meeting compliance requirements such as PCI-DSS is using the principles of dual control and separation of duties. These are hard and fast guidelines when it comes to the handling of encryption keys, and are considered a "best practice" for encryption key management. If your encryption key management hardware system doesn't implement these policies, it will be difficult to pass your data security audit down the road. Some compliance regulations such as HIPAA/HITECH Act don't yet require these policies; however, you should expect these best practices policies to be implemented into regulations down the road.
5. Complex and Hard to Predict Licensing
When you don't know how much your encryption key managemer is going to cost, your project will stop in its tracks. When you don't know how many licenses your company will need over time and how your encryption key management vendor will charge you for them, estimating the cost becomes very complicated. Often a vendor might limit how many devices can connect to your key server or the number of keys the key server can create, resulting in unpredictable costs. As we all know, a project with an unpredictable cost never gets off the ground! The cost of licensing should not be a barrier to protecting your sensitive data.
To learn more about how encryption key management and how easy it can be, check out our webinar, “Key Management Simplified.”