When a company stores critical data, whether in its own data center or in the cloud, encryption key management is vital to keeping that data secure, and letting the data center or cloud provider control the keys isn't always an option.
Cyberattacks on enterprises are on the rise, but most enterprise IT shops are still using archaic key-management methods. For many, key management is a painful process, often because of those outdated methods, but there are solutions out there that take the pain out.
Instead of letting a colocation or a cloud provider control its encryption keys, a company normally encrypt the critical data and then sends it out to the storage location, said Chris Day, chief cybersecurity officer at Cyxtera Technologies, a security-focused data center provider formed this year as a result of an acquisition of CenturyLink’s massive global data center portfolio by a group of investors.
"The security benefits are obvious when the customer properly manages their own keys," he said. "However, key management can be complex, and many organizations do not possess the skills in-house to properly do so."
In fact, according to a survey conducted earlier this year by the Ponemon Institute and Thales e-Security, 59 percent of companies said there was a high degree of pain associated with key management, up from 53 percent the year before.
Top reasons for the pain? There was no clear ownership of the key-management function, followed by a lack of skilled people and isolated or fragmented key-management systems.
Keys to external clouds and hosted services are the hardest types of keys to manage, according to the survey.
It doesn't help that 51 percent of companies use manual processes, such as paper or spreadsheets, to keep track of encryption keys. Only 37 percent of companies have formal key-management infrastructure in place.
On this front, however, the situation is improving slightly. In last year's survey, 57 percent said they used manual processes, and only 31 percent had key-management infrastructure in place.
Having a centralized key-management system offers other benefits besides just being able to unlock data.
That includes compliance requirements, such as data sovereignty concerns, said Daren Glenister, field CTO at Intralinks.
"[Customer-managed keys] show that even though data resides in a certain country, it may ultimately be controlled in a separate country," he said.
Key-management tools also make it possible for companies to replace their keys on a regular basis.
"Keys ought to be rotated or expired without affecting access to legacy data," said Vamshi Sriperumbudur, VP of marketing at CipherCloud, which helps companies protect data stored in Dropdox, Salesforce, Office 365, Box, and other cloud services.
And if someone wants to access the data stored in the cloud, they have to talk to the company itself to get the keys, he added. "No-one -- whether it’s law enforcement, cloud provider system admins, or cyber criminals -- can access sensitive information under any circumstances without contacting the data owner first."
Finally, by having a good key-management system a company doesn't have to worry about a storage vendor having backups of its key data that might be hanging around when they're no longer needed.
"If you need to shred all keys, you hit the button on the local hardware security module, and it does it for you," said Ashwin Krishnan, SVP of product management at HyTrust, which offers key-management software that can run locally, behind a customer's firewall, or in a cloud.
"Some customers might not be capable, or might not want to invest in managing keys on-premises," he said. "But they can easily make a case for hosted key management."