Prime Factors Blog

14 Signs You Should Add a Cryptographic Key Management System

Posted by Jeff Cherrington on Aug 19, 2014 11:25:30 AM

  1. The person who has manually managed all your cryptographic keys for years abruptly leaves the company, and no one can find the spreadsheet with all the key locations and expiration dates (tick, tick, tick...)
  2. You received an encrypted file of sensitive data from a customer and it took hours to find the right decryption key
  3. The results of an QSA data protection practices audit indicates that your PCI key management practices leave critical decryption and signing keys inappropriately exposed, making it a Matter Requiring Attention (MRA)
  4. Customers are demanding that you encrypt sensitive information you sent to them, each with a different encryption key, creating confusion in Operations
  5. Code reviews are finding cryptographic keys hardcoded into your cloud applications, because the application developers have been burned by pointing an application at the supposed file location of a key, only to have the key moved without notification (Read the prior post "Encryption Key Management Use Cases:  Three Laws of Data in the Cloud")
  6. New prospects ask for a copy of your cryptographic key management practices and all you have to give them is a note that says “Store keys in a cool, dark place.” (…or, wait a minute, was that supposed to apply to the adult beverages for the next off-site?)
  7. The Chief Auditor tells you that PCI key rotation requirements are that encryption keys should be replaced every 12 months and asks how long current encryption keys have been in place, and you can only answer “…since the application was deployed…”Key_Management_word_cloud
  8. Adopting that best practice, you replace an encryption key for one process, only to find that the same key is inappropriately used for five other processes that immediately break down
  9. A customer notifies you that regulations require that their data is protected with a cryptographic key of at least a specific bit count, and you actually have to detail a developer to find the key and manually count the bits
  10. The CTO wants to document that cryptographic key access is appropriately restricted and asks for a list of all staff members who can change or update keys, and you find this is a very long list that actually includes the data preparation intern, but doesn’t include anyone from Data Security
  11. You receive word that the global root for the X.509 keys used in your applications has been compromised, and all the keys need to be replaced…and you don’t know how to track them all down
  12. The head of data security convinces the executive team that current best practices require use of public-private key pairs in place of symmetric encryption keys wherever possible, and making this swap will run your department over budget from the overtime alone
  13. You’ve ensured that all the symmetric keys used in your applications are long, random, and complex…and might be walking out the door on a USB drive in the pocket of the system engineer who was just let go
  14. Coding proper cryptographic key management into your applications, to protect against all of the prior 13 points of this list, has become such a drain on resources that there are not enough available to complete the next new revenue generating enhancement on time

Learn more about the benefits of cryptographic key management system in "Five Key Management Fundamentals for Unlocking Encryption Success" by clicking on the image below.

Encryption Key Management white paper