If your cryptographic keys are lost or stolen – your security is severely broken

A steadily increasing number of security architects now realize that companies skipping the competence build-up for handling key management and instead only relying on software doing the entire job, pose a significant security threat.
Cryptographic key management is one of the cornerstones of modern ICT systems. These keys are the gatekeepers preventing the system and the applications from being misused. Cryptographic keys, user credentials including passwords are still stored in files on local laptops, or on file shares – without any serious protection.

The main challenges for operation staff, security architects and security officers include:

  1. Finding all the keys in an enterprise, which is often a problem due to lack of inventory.
  2. Understanding the different types of cryptographic keys and their accessories.
  3. Lacking key-rotation makes your system halt.
  4. Handling cryptographic keys in complex infrastructure with a variety of hardware.

The vendors for Vault and Security Module software have tried to accommodate such problems by way of building processes, procedures, and routines for Key Management into their tools. Hence manually written routines could be replaced by automation and gentle and easy guidelines. In this way the security advisors or crypto officers did not have to construct a library of manually written textual procedures, and some of the required routines could be executed more securely and more efficiently.

The danger with automation is that the organizations put too much trust in the tools offered. Can you manage something you do not understand? Can you learn all you need about key management from a tool? Policies for handling cryptographic keys should be decided upon – on a company level, and the training and education should be maintained on the ground level. Automation should be a natural part of such strategies. So should specifically testing and analysis of the tools supplied to the ICT-infrastructure of the organization. Security architects are searching for new tools supporting and facilitating such testing, which has been overlooked for years.

To summarize: You should understand key management so that you can choose the right tool for protecting your keys and secrets.

Challenges Related to Operational Management of Cryptographic Keys

We previously advocated for the importance of Key Management for ordinary enterprises[url/link]. But how do you mitigate intrinsic threats in Cryptographic Key management? A good start would be to apply this four-step checklist in your efforts to gain control:

1. Finding all the keys in an enterprise. In a typical enterprise – there is no inventory for cryptographic keys. In practice this means the enterprise and the staff in charge – do not know about all the keys. Some keys are only known to the specialists that have some responsibility for the software. If you do not where all your keys are – and who is responsible for them, they might get lost, or even worse – stolen.

Solution: Build an inventory for cryptographic keys that is complete.

2. Understanding the different types of cryptographic keys and their accessories.  Which of the keys you have are particularly important? Some keys are master keys of root keys. Everything else depends on securing these keys. Typically, there are chains of derived keys from the root/masters – that form a key hierarchy. Understanding the different key types – and their different requirements for protection is crucial for a company – to give the correct level of protection to the assets.

Solution: Understanding complicated cryptography is only possible through extensive training, and continuous learning – staff should be dedicated and get enough time to keep updated.

3. Lacking key-rotation makes your system halt. Many keys are rotated on a regular basis (once month or once a year), to prevent compromise, reduce recovery time, and maintain compliance by following best practices. But key rotation frequently leads to downtime and problems for ICT dependent enterprises too. When operating staff forget to rotate keys, or the tools for automated key rotation malfunctions, services involving huge number of users, abruptly halts.

Solution: If key rotation routines are properly documented and well understood among the staff, you can get your system up again quickly. If you have a tool that can automate the rotation, then do so – and pay extra attention to the keys that live outside the tool and outside the scope of automation.

4. Complex infrastructure with different hardware.  Most enterprises have a myriad of different hardware, laptops, tablets, printers, routers etc. These different types of hardware are equipped with keys and certificates. The challenge with crypto management is twofold: setup and install the appropriate the appropriate cryptographic content on all the various devices and making them communicate, but also to keep these devices updated with the appropriate keys – for keeping them on the net. The share number of entities is huge on spread-out locations. The user-interface for peripheral devices, like printers, is cumbersome for the handling of cryptographic material.

Solution: Implement installation scripts for large stocks of hardware of the same type. Assure that these scripts are properly documented and maintained. For all peripheral devices, build inventories of both the hardware and the cryptographic content on these hosts. Assure that routines for managing these devices are properly documented and managed.

Written by Anders Moen Hagalisletto (CEO) and Erik Rosen (chairman)