A Crypto Foundation is a centralized approach taken to secure different types of data in multiple environments, combined with the management and maintenance of keys and crypto resources. In order to provide the consolidation, protection, and flexibility that today's business environment demands, a data protection strategy should incorporate four key areas of crypto management. The concentration levels of each area will depend on existing infrastructure, compliance mandates, and the four V's: Value, Volume, Variety and Velocity.
Identify sensitive data and determine the level of encryption required. Consider all of the various threats that apply to data at different points within the lifecycle and ensure crypto operations have appropriate offloading and acceleration to avoid processing bottlenecks.
The requirements of your use case(s) and environment will determine the keys’ roles and ultimately how they are stored and protected. Organizations have the option of storing their keys within hardware or software.
There must be an integrated approach around generating, storing, distributing, rotating, revoking, suspending and terminating keys for devices and applications. A centralized management platform will perform all key-related tasks and tie back to other systems or HSMs.
In order to ensure consistent policy enforcement, provide transparency, and maintain the health of your system, every organization should have one, easy-to-use interface to configure policies, monitor and report and provision all cryptographic resources.
Make sure that cipher/algorithms are comparable with current industry standards and widely used, as the classification of ‘strong’ cryptographic algorithms can change over time. Next, establish key lengths with the right combination of protection and flexibility. Gemalto’s suite of encryption solutions enables you to protect and control sensitive data as it expands in volume, type and location, from the data center to virtual environments and the cloud.
Look at current workflows and applications. Where will encryption and decryption take place? Depending on where you want encryption to run, and the velocity, you may need to consider incorporating high-speed cryptographic processors. Gemalto can provide a variety of solutions for offloading cryptographic processes from application servers to dedicated hardware.
For keys that are trusted to protect highly sensitive data and applications, a centralized, hardware-based approach to key storage is recommended. Nothing ever enters or leaves the tamper-resistant vault so keys are more isolated from traditional network attacks and should the hardware security module (HSM) become compromised, the keys will zero out. All SafeNet HSMs have been through stringent third-party testing against publically documented standards.
Some use cases will require cryptographic keys to exist within close proximity to the data and applications they secure. Organizations trying to encrypt mass amounts of smaller segments of data, requiring high availability and usage may gravitate toward a distributed key storage model. This model accommodates for unlimited transactions and large amounts of keys. SafeNet KeySecure together with the Crypto Operations Pack encrypts structured or unstructured sensitive data, and provides access to leading key management interoperability protocol (KMIP) supporting appliances – all in one centralized platform.
An organization warranting high volume, velocity and variety of keys, might consider investing in a system that specializes exclusively on key management duties.
SafeNet KeySecure is available as a hardware appliance or hardened virtual security appliance.
With SafeNet Crypto Command Center, security administrators can create a centralized pool of high assurance cryptographic resources that can be provisioned out to the people and lines of business in their organization that need them.
Consistency policy enforcement requires the ability to provision and de-provision cryptographic resources, automate client provisioning, and create multi-tenant, tiered security administrator access levels.
First, determine how many keys can be generated, and where they are stored. Continue to update variables in the system, such as back-up networks and users. Next, establish a policy for key usage, defining application and device access levels and to what extent they can perform.
Lastly, secure, automated and unified logging and reporting are absolutely crucial to maintain requisite risk and compliance posture. Key ownership must also be clearly defined, and all modifications recorded and securely stored in order to provide an authentic and trusted audit trail of key state changes.
Learn the need-to-knows about crypto management from our comprehensive guidebook, covering in depth each of the four essential Crypto Foundation elements – crypto processing and acceleration, key storage, key lifecycle management, and crypto resource management – and outlining uses cases to consider.
Join Mark Yakabuski, Gemalto’s VP of Product Management, Crypto Management, for this on-demand webinar, as he discusses today’s cyber security landscape alongside real world use cases. Learn how to build and manage a secure and flexible crypto foundation in on-premise, hybrid, and cloud environments.