G00272630

Develop an Encryption Key Management

Strategy or Lose the Data
Published: 23 January 2015

Analyst(s): Brian Lowans

Most organizations planning data encryption deployments lack proper data

security governance and an encryption key management strategy, which
increases the risk of data loss.

Key Challenges
Without proper data governance and operational frameworks for encryption, organizations' risk
of data loss will increase.
Due to a diverse array of data storage environments and platforms located on-premises and in
public clouds, it may be impossible to deploy a single organizationwide EKM solution.
Most organizations struggle to understand the capabilities and limitations that EKM solutions
provide, and how to properly configure them.
Most organizations do not have plans in place to support the long-term access and data
encryption requirements to meet data residency, compliance and business needs.

Recommendations
Chief information security officers (CISOs):

Establish data security governance principles that focus on sensitive data protection, delete
unnecessary data storage, and consolidate data stores whether they are on-premises or in the
cloud.
Where possible, minimize the number of encryption vendors (in order to simplify key
management operations) by leveraging multiple products from a single vendor that can be
applied to multiple data protection use cases.
Focus on establishing the operational configurations of an EKM deployment that address
access, backup, long-term storage and resiliency issues, and use default vendor settings rather
than focusing on the "bits and bytes" settings.
 Develop a formalized EKM process that is applicable to all data protection use cases to simplify
operations, minimize cost of ownership and reduce the overall risks to data security.

Strategic Planning Assumption

Through 2017, most encryption vendors (that also offer key management solutions) will not
standardize their encryption products through OASIS KMIP.

Introduction
Organizations are facing ever-increasing needs to encrypt various types of sensitive, centralized
data stores and public clouds in order to prevent data breaches. A combination of data residency
and compliance issues, internal security audits, and growing threats of hacking is driving the
requirements to develop a data security governance strategy to prioritize sensitive data protection.

To meet these needs, organizations are reaching for a growing inventory of encryption tools to
protect data within a variety of data storage silos, whether structured, semistructured or
unstructured. These may be located within local or external data environments, such as file stores,
databases, big data platforms or various clouds.

With each environment supporting a variety of capabilities and configuration options, the idealized
development of an enterprisewide encryption key management (EKM) solution may not be
attainable. However, a structured EKM technology and process strategy should be developed to
simplify operations, thereby minimizing the cost of ownership and reducing the overall risks.

Analysis
Employ Data Security Governance Principles
1. Develop Data Security Governance Principles

Data classification and targeting the scope of encryption deployment can focus the organizational
need to protect only sensitive data (see "How to Approach Security Data Classification That
Impacts Business Process"). However, this needs executive-board-level support to develop a data
security governance strategy that can identify data residency and compliance requirements, and
then prioritize security risks and threats that will be mitigated through encryption (in tandem with
other data security controls). This is a critical approach as organizations increasingly consider the
deployment of big data and cloud-based applications (see "Market Guide for Data-Centric Audit
and Protection").

Adoption of cloud services or infrastructure is quickly becoming a business priority, but the data
security governance assessment must balance the risks associated with cloud-based encryption or
EKM. The risk of third-party access to the encryption keys and their physical location in use and in

Page 2 of 9 Gartner, Inc. | G00272630

 storage will be an important consideration (see "Tackle Six Security Issues Before Encrypting Data
in the Cloud" [Note: This document has been archived; some of its content may not reflect current
conditions]). Cloud-based EKM and hardware security module (HSM) technologies are emerging to
provide key management as a service (KMaaS) offerings.

Sample KMaaS vendors are: Gemalto (SafeNet); HP; KeyNexus; Porticor; Thales e-Security;
Townsend Security; Voltage Security; Vormetric.

2. Leverage Access Controls to Minimize the Need for Encryption

Encryption provides limited access controls when it is applied to storage media, but it will provide
transparency to applications and their functionality. However, when applied at file, data or
application layers, encryption can interfere with the operation and functionality of applications, and
prevent other security technologies from searching the storage content. When encryption is
absolutely required, organizations should attempt to minimize the deployment to the most critical
assets with the highest risks, and they should employ other security tools to protect lower-risk
environments.

Sensitive data is often stored within systems and applications that have enhanced security features
built-in and/or contained within a high-trust zone that is segmented from the day-to-day operational
network. In many cases, a tightening of the existing security mechanisms such as stronger
authentication, managing access privileges, monitoring data access, better auditing and tightening
of the internal zone demarcation points may be a sufficient security control.

3. Reduce the Amount of Sensitive Data

The notion of reducing the amount of sensitive data might seem counterintuitive to an EKM
discussion. However, this reduction has the most significant impact on encryption deployment in
terms of overall operational costs, complexity and scope.

Organizations typically hoard more data than required. While data is the lifeblood of organizations,
many are capable of operating successfully even if they do not hold all or some of the sensitive data
themselves (see "Is Encryption of Centrally Stored Data Mandatory?" [Note: This document has
been archived; some of its content may not reflect current conditions]).

The reality is that a "bulk" strategy for encryption across the entire IT environment is impractical for
several technical and operational reasons, including:

The loss of functionality, such as search and indexing

Added delays in accessing and writing data
Added complexity in troubleshooting
Separation-of-duties problems between EKM administration and IT administration of the
applications
A potential lack of understanding and awareness of the impact of encryption throughout
multiple storage environments and technologies

Gartner, Inc. | G00272630 Page 3 of 9

 A risk of total data loss if encryption keys are mishandled
A lack of cryptographic vendor offerings to address all possible deployment scenarios

Reducing the amount of sensitive data that needs to be encrypted through deletion or by using
techniques such as data masking and tokenization will reduce the scope and complexity of EKM
deployment.

4. Consolidate Data to Fewer Platforms and Applications

Organizations that cannot reduce unnecessary data or eliminate the sensitive data from within their
environments need to consolidate sensitive data to the fewest platforms or applications as possible.
This will help reduce the complexity of encryption deployment and simplify EKM. Organizations also
will receive the data management benefits associated with consolidation.

After the consolidation process, organizations should establish a vetting process whenever a
request is presented to expand the scope of applications or platforms that host sensitive data. This
will ensure that sensitive data creep is kept to a minimum, and that the encryption solution can be
extended to the new environment.

Operationalize EKM Deployments

1. Are the Bits and Bytes Really That Important?

Most organizations spend too much time discussing, arguing and finally deciding on: (1) the bits
and bytes related to the generation and configuration of the root keys; (2) the various user,
application and system keys; and (3) the overall settings of the system, such as lifetime and key
rotation. There is a perception that, if organizations spend a lot of time on these exercises, they will
have a completely secure cryptographic system. This notion is incorrect.

Organizations should spend the minimal time required to review and adopt industry best practices
1
suggested by various standards organizations, certifying bodies, peers, vendors and industry
regulators for the in-system configurations of the defined components. This is specifically true for
key lengths, key lifetimes, rotation schemes and other settings.

2. What Makes a Cryptographic System Safe?

Cryptography is nothing more than a time-delay mechanism, just like a safe in a bank. While the key
combination mechanism and overall system construction are important, organizations need to focus
their energies on the components they can successfully understand and impact that is, the
system configuration elements, including:

The overall cryptographic strategy

Day-to-day key management support
Backup, restoration, recovery, upgrade and retirement of keys

Page 4 of 9 Gartner, Inc. | G00272630

 These processes are the important elements in establishing the overall framework for the key
management system, and they will have the greatest long-term impact on the system's overall
security, usability and survivability.

3. Leverage Embedded Encryption

Many platforms and applications have native encryption capabilities that can be automatically
configured and supported as part of the overall system. Most of these offer a limited set of
configuration options for encryption, as well as EKM capabilities to meet the high-level
organizational security requirements. Some will support third-party EKM via OASIS KMIP or even a
physical HSM, which can be shared with other similar systems.

In this scenario, organizations need to establish a process for ensuring that the overall EKM
platform or individual EKM applications are properly backed up. Organizations also should
understand the procedures for recovering or restarting the encryption operations in the event of a
critical system failure.

4. Minimize the Use of Third-Party Vendors

One of the industry's "dirty little secrets" is that, while standards do exist for the establishment of an
enterprise EKM solution, most vendors that offer encryption products and EKM solutions do not
support the adoption of a third-party EKM for their encryption keys. This is despite their compliance
with the OASIS KMIP standard (see "Is OASIS KMIP Yet Another Hollow Key Management
Standard?" [Note: This document has been archived; some of its content may not reflect current
conditions]).

Organizations typically have many different requirements for encryption, including different use
cases, deployment platforms and capability support. As a result, they are rarely able to acquire a
single cryptographic solution that can address all their cryptographic requirements. This means
that, in the end, most organizations will acquire several different solutions to achieve their desired
goals. However, by choosing vendors that offer support for more than one platform or data
repository, rather than choosing the best of breed for every use case, it is possible to limit the
number of vendors.

Many vendors now offer on-premises EKM solutions that comply with OASIS KMIP.

Sample vendors are: Gemalto (SafeNet); HP; IBM; Protegrity; RSA, The Security Division of EMC;
Symantec; Thales e-Security; Townsend Security; Voltage Security; Vormetric.

Day-to-Day EKM Operations

1. Fewer Vendor Systems Will Simplify the Management

The most complex aspect of any third-party cryptographic deployment involves deciphering the
various vendor configurations, system options, platform dependencies and system limitations
associated with a cryptographic solution.

Gartner, Inc. | G00272630 Page 5 of 9

 Organizations have a limit to the amount of time that staff members can dedicate to becoming
experts in a given solution. Increasing the number of different vendor cryptographic solutions
deployed within a given environment increases the overall complexity level of the whole system, due
to higher demands on staffing, increased training and the greater risk of misunderstanding a
particular deployment configuration dependency.

By minimizing the number of third-party encryption solutions being deployed within an environment,
organizations can focus on establishing a cryptographic center of excellence, where deployment
scenarios can be fully assessed and understood, and where organizations can standardize on a
process for deploying and managing a solution.

2. Develop a Management Process

A competent security expert should be able to implement the management process, and should not
require a deep cryptographic expert. Most current key management systems are fully automated
and require minimal staff intervention, beyond the initial system configuration and routine
maintenance tasks. It is important to establish a process for the regular review of the cryptographic
system and operational logs in order to identify potential issues and ensure that operation and
performance continue to be within system guidelines.

One of the critical tasks of a key manager is to create, update and back up keys utilized by the
1
applications that use encryption. This is performed at a predefined time interval and is commonly
referred to as "key rotation." Vendors have different key rotation schemes, and, while nearly all are
fully automated and rotate keys in real time, the process takes time to re-encrypt data using a
replacement key; thus, it will impact the state of an application meaning that, at any given time,
there might be several generations of encryption keys in use. As a result, any backup and recovery
of an application would require access to the entire lineage of encryption keys.

When separate geographic locations employ encryption, organizations can deploy local EKM
solutions that are synchronized. The synchronization is also a function that is typically fully
automated; however, it is still recommended that a process be established to monitor the
operations in order to minimize downtime and ensure system performance.

3. Backup, Restoration, Recovery, Upgrade and Retirement of Keys

One of the most critical aspects of operating a key manager involves the backup of the EKM
database. Without a proper backup, a system failure would result in the complete loss of encrypted
data, which would be equivalent to digital shredding.

Software-based key managers typically rely on an external backup system to support the EKM
solution. However, hardware-based EKM solutions typically leverage smart cards, HSMs or external
management solutions to back up or duplicate the encryption keys used by the primary system.
This configuration also can be used to support fault-tolerant or high-availability deployments.

In either case, while it is important to ensure that the backups are successful, it is also critically
important to restrict access to the backups themselves, since they represent a working copy of the
encryption keys use by the system and are designed to be used in re-creating a working
environment. An "m-of-n process" for example, two of five administrators must be present and

Page 6 of 9 Gartner, Inc. | G00272630

 use their smart cards to reinstall the root keys needs to be established to restrict access to the
backups. A process that tracks the full chain of custody from creation to storage to access of the
backups also needs to be put in place.

One additional point to consider regarding the m-of-n best practice involves establishing a process
for addressing changes and departures and, more specifically, terminations of m-of-n key
holders.

On-site and off-site key storage also should be considered, based on the risk profile of the system
and the data. All keys and physical authentication devices need to be secured by the custodians in
a container that is locked, fire-resistant and tamper-evident. An example would be a tamper-evident
sealed bag locked in a fireproof safe.

4. Long-Term Resiliency of Encryption Solutions

Finally, the need for the long-term retention of backups should be considered for active and retired
EKM systems. Native encryption solutions may be upgraded as the applications are patched,
providing built-in resiliency; however, if these solutions rely on local databases or vaults to store the
keys, then any changes affecting third-party EKM also must be upgraded.

EKM solutions are designed to maintain an ongoing history of the encryption keys that have been
used. However, for some solutions, when a system is upgraded, previous keys that do not match
the new baseline configurations may be removed from the system. This would require an
organization to maintain two active copies of a backup one before the upgrade and one after
to ensure that it has access to the encryption keys that may have been used previously, in the event
that the organization needs to retrieve data from a long-term backup.

In addition, if an encryption solution is decommissioned, then the backups containing application

data that were protected using that solution will continue to be encrypted. This will be an important
point to consider when backups are retained for long periods of time that are well-beyond the
typical operational life of an encryption solution for example, 10 years or more. In this scenario,
organizations also would need to keep copies of the key management solution and the encryption
software that were used to protect the data on the backups.

Additional research contribution and review: Carsten Casper, Joseph Feiman, Joerg Fritsch, John
Girard, Erik Heidt, Craig Lawson

Gartner Recommended Reading

Some documents may not be available as part of your current Gartner subscription.

"Address Nine Security Issues Before Encrypting Data in a Remote Data Center"

"Five Cloud Data Residency Issues That Must Not Be Ignored"

"Develop a Storage Encryption Strategy From the Vault to the Cloud"

Gartner, Inc. | G00272630 Page 7 of 9

 "Effective Encryption Key Management"

Evidence
1E. Barker, W. Barker, W. Burr, W. Polk and M. Smid, NIST Special Publication 800-57,
"Recommendation for Key Management Part 1: General (Revision 3)," July 2012.

Page 8 of 9 Gartner, Inc. | G00272630

 GARTNER HEADQUARTERS

Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096

Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM

For a complete list of worldwide locations,

visit http://www.gartner.com/technology/about.jsp

2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartners prior written permission. If you are authorized to access
this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained
in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy,
completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This
publication consists of the opinions of Gartners research organization and should not be construed as statements of fact. The opinions
expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues,
Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company,
and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartners Board of
Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization
without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner
research, see Guiding Principles on Independence and Objectivity.

Gartner, Inc. | G00272630 Page 9 of 9