Prime Factors Blog

5 Tips for Success in Key Management

Posted by Pete Flagella on Aug 30, 2016 10:00:00 AM

Find me on:


37918549_m.jpgAs anyone can tell you who does it, key management can get complicated to the point where major mistakes are made. This is especially true when you don't have iron-clad policies in place or use software that seems to have been engineered to be overly complicated. The general trend is that companies sometimes relax their rules for special circumstances or simply fail to think through what they really need as a company. You can see the lack of preparation practically every day, as credit card information, social security numbers and even email addresses are compromised in a number of ways, and it upsets and scares consumers of all kinds. If you currently have an encryption system in place but feel that you're just barely holding it all together, now is a good time to reevaluate. Encryption is not an inexpensive option (even if you’re using a “free” solution), and without effective key management it's essentially worthless. Read these tips for continued strength and advanced protection.

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption 

1. Check Your Current System

Penetration tactics go a long way in determining where vulnerabilities lie in your key management, but you should go beyond just thinking like a hacker. You'll also need to account for employees who may be just getting used to the system, or who simply might make a mistake. All of your facilities and procedures need to undergo a few mock attacks to see where you might need to adjust your policies.

When you're testing, ensure you're documenting everything, and more importantly, double check that documentation will make sense to anyone who reads it later. There should be information contained about how to diagnose specific problems, how to report on those problems and how to fix them. If you have an automated process that sends alerts, there should be a widely understood process about how to address potential threats. Key management and alert systems are viewed as pure time-wasters to many organizations because so much effort gets devoted and results are often undervalued. Because these are prime candidates to inspire frustration in employees, it's especially important to give the streamlining process extra priority. This means that you can't assume anything, especially when it comes to the person in charge. Digging a little deeper may reveal a need for more education or even an entire overhaul of the current system. Spending the time now to figure out a better way can save countless hours in the future. Additionally, tools exist to help you. For example, Prime Factors offers Bank Card Security System (BCSS) software that was designed to minimize the transition time in getting new employees on the same page when it comes to key management for issuing and storing EMV cards,  one of the most common uses of encryption.

2. Examine the Keepers of the Keys

Companies sometimes delegate key management to one employee, and while it may make sense to have one point of contact when it comes to cryptography, there are also downsides to this. If that employee leaves unexpectedly or even just takes a day off, there may be no one who knows the proper protocol. You should have people across departments who understand the principles behind keeping data safe and ensure they are all subject to the same rules and standards as those in IT. There should be no confusion about who has access to what, or how the chain of command works in an emergency. Businesses may start off with one set of needs in terms of maintaining keys, and then quickly see those needs multiply as their plate gets more and more full.

Name trusted employees to be keepers and then others to head internal audits, along with your standard system administrator or system authority. You might be surprised to learn how many companies fall down when it comes to protecting their keys, which may (in part) be due to the fact that system security may get pushed to be back burner for “more pressing” matters. However, this dangerous version of willful ignorance has caused too many fiascoes for unsuspecting companies. Whatever you call these roles, keep the knowledge distributed so that one person doesn't hold all of the information and power, but also consolidated enough that you don't lose track of who is doing what. The goal here is to have several back-up plans in the event of a change in either personnel or technology — and there will be change.

3. Simplify Software Development

Software that helps audit your processes is available to enterprises that not only want to make life easier on their staff but also reduce the chances of errors for the company as a whole. Software is available that consistently and automatically updates based on the new standards set by PCI DSS, HITECH or even major credit card carriers. Simplified software allows you to relax and think strategically because you can keep many of your existing practices while still meeting your changing responsibilities. This type of freedom from fear can be especially helpful for your employees who read the news about major hacks on a weekly basis. Even if they don't understand asymmetric encryption, they certainly understand how one hack could put them out of a job.

Essentially, you should look for software such as Prime Factors’ Bank Card Security System, which has the capabilities to eliminate your in-house development needs. A key vault database and hardware security module can be just what you need to make storage of keys simple without compromising their secrecy. You can maintain access and order using simple key management solutions and modules that generate keys that have been vetted with advanced encryption. Depending on your needs, you can purchase solutions that continually keep pace with decryption methods hackers may use both today and tomorrow. It's crucial to remember that expert hackers understand the principles behind encryption, meaning they're trying to stay two steps ahead of developers. When it comes to their skills, it's hard to match their efforts but it's possible to keep them from breaking the codes by using good encryption. By simplifying the software you use, you make it more of a certainty that staff will use the programs the way they're meant to be used. There are bound to be keepers of the keys that are less familiar with technology, and simple systems make it easier for them to perform their role correctly.

4. Stay Alert and Creative

The attention needed to do key management isn't easy, and it's caused companies to outsource to third parties who specialize in storing data. However, it’s important to use solutions that don't involve relinquishing any amount of control over your own systems. Staying alert doesn't mean that you need to sleep with one eye open, but it does mean that you should be aware of what's happening inside your organization. While the right software can make your job exponentially easier, it's still up to you to make your auditing process an ongoing exercise. Small mistakes or seemingly innocuous misuses of protocols can blow up quickly, and hackers can be patient when it comes to waiting for any vulnerability to pop up on their radar.

Good encryption management software gives you the means to easily grant or deny access to people when keys are created, and it provides logs and files that can be read without needing a glossary of terms to understand what is meant. These tools are specifically designed to make it simpler for you to be in command of how your keys are managed. And when managing keys is simple and effective, you can dedicate critical resources to creative thinking and problem solving.

5. Tighten Up Your EMV

It might seem that if you want to take on EMV requirements on your own you'll need to have a stellar organization, an in-depth knowledge of how the technology works, and a system for keeping up with updates and upgrades. However, you can make life easier on yourself and adopt a migration path that will satisfy these advanced requirements without going down a rabbit hole where one mistake could mean the end of your business. Communication, risk assessment, key generation and verification all need to be air-tight. Strong solutions work on major hardware platforms, like the ones you use right now. They also support PKI initiatives, so if you need help managing, generating, or protecting symmetric, asymmetric, static, or dynamic keys, they ensure you're prepared in every way when issuing or authorizing EMV cards.

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption

 

Topics: Enterprise Data Protection, encryption