Image courtesy:https://www.researchgate.net/figure/Comparison-of-Symmetric-Cryptography-Algorithms-20_tbl1_328653330
Compliance and Best Practices in Encryption Key Management
Key management practices must adhere to regulatory standards such asPayment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR),Federal Information Processing Standard (FIPS), and Health Insurance Portability and Accountability Act (HIPAA). Here are a few best practices recommended by cybersecurity experts.
1. Best Encryption Algorithms
A good combination of encryption algorithms and keys makes the data indecipherable to hackers.
- Triple Data Encryption Standard (DES)
The Triple DES is a much-improvised algorithm version of its predecessor, DES, which turned obsolete due to its high attack vulnerability. The total key length of the Triple DES is 168 bits, which includes three individual keys of 56 bits each.
- Advanced Encryption Standard (AES)
Considered relatively more advanced than the Triple DES, the AES is a standard utilized by the U.S government and is known for its highly efficient128,192, and256-bit cipher combinations.
- RSA Security
Since RSA Security uses a pair of keys, it is considered an asymmetric algorithm that is difficult for hackers to crack since it demands significant time and processing abilities.
- Blowfish
Blowfish is freely available in the public domain and is considered one of the most effective symmetric key algorithms. Messages are divided into64-bit segments each and separately encrypted in this cipher approach.
- Twofish
Another symmetric key algorithm, Twofish is tailored for hardware and software environments, and employs keys of256-bit length each.
2. Least Privilege
Also known as thePrinciple of Least Authority (POLA), this approach believes in granting authorized users only a required set of privileges. For instance, allowing the user responsible for retrieving records from a database just the permissions needed to perform the job function and denying admin rights would prevent insider-caused breaches.
3. Hardware Security Module (HSM)
Since HSMs are devices that either must be stolen or physically accessed, they are less susceptible to attacks. Although cloud based HSMs are considered reliable key management options, a lapse in the cloud service provider’s security could enable the attacker to access the keys.
4. Segregation of Duties
The various key management duties can be segregated to prevent insider threats. For instance, allotment of the key creation, distribution, and access right management responsibilities exclusively to different individuals (or entities) would ensure no tamper. The entity generating the key would be nowhere involved in the distribution phase and so on.
5. Automation
All key management activities ranging from generation and distribution to destruction can be automated. Automation also ensures the key becomes invalid post-crypto period expiry.
6. Split Keys
The split key approach ensures two or more individuals are required to access a key. Since every person only has access to a part of the key, the security-compromised link can be easily identified.
7. Bring Your Own Key (BYOK)
Conventionally, cloud service providers own the encryption keys of their client data. Trusting a third-party vendor completely with the safety of encryption keys is an unsettling thought for most information security teams. The Bring Your Own Key (BYOK) practice, also known asCustomer Supplied Encryption Keys (CSEK)grants enterprises complete ownership of the encryption keys used to secure cloud data.
8. Audit Log Encryption
A certificate can be used to encrypt audit logs and save them to a Keystore in an audit.xml format. The encrypted audit logs can be accessed only by a set of authorized users with passwords.
9. Periodic Key Rotation
Encryption key rotation is a practice followed to replace keys periodically to ensure less breach possibility. When an encryption key is changed daily and if at all a breach occurs, the hacker would be able to access only the data of the day.
Key Management Challenges
There are several key management challenges in businesses today which must be addressed.
- The encryption keys are usually controlled by the cloud service provider, giving consumers little authority over their data.
- Multiple user data are usually protected by the same encryption key by cloud vendors offering no distinction.
The encryption challenges posed by many keys generated because of growing data volumes can be mitigated by the adoption of a centralizedKey Management SystemorKMS. An efficient KMS offers policy-based key generation, storage, and distribution. It also ensures the keys are securely archived and an enterprise audit log trail is maintained. The inclusion of KMS in an enterprise’s data protection strategy is an idea IT decision-makers should consider for securing encryption keys.
A vital factor that differentiates Parablu’s patented data protection technology from similar market variants is its Bring Your Own Key (BYOK) orBring Your Own Encryption (BYOE)approach. BluSync overcomes dependency, or rather, the trust in the public cloud or SaaS vendor for data encryption needs. Conventionally, SaaS vendors could access customer data without permission at any time, but Parablu’s BluSync offers users complete autonomy over their encryption keys.
Ask for a freedemoto learn more about Parablu’s encryption and data protection approach.