Wednesday, March 4, 2009

Key Management

This is a thread from a LinkedIn discussion (Information Security Community)

What are the important aspects of an encryption key management policy?

Please feel free to post any thoughts on what you believe should be included in an encryption key management policy. Thanks in advance.

- What are the elements of a good backup policy? Is keeping keys in escrow enough? Or is a more immediately available backup needed as well?

- What kind of physical and logical access controls (or other measures) should be implemented around the keys to prevent unauthorized access, modification, duplication, or destruction of the keys?

- What are the elements of a good process for destroying keys that are old or may have been compromised? Should keys be periodically updated and replaced to further mitigate the threat of unauthorized duplicates?

- What are the best software solutions in the marketplace for managing encryption keys? What aspects of a software solution are most important?

- Who should be the ultimate approver for access to the keys? Particularly if the software owner and database owner are not the same person/group; which group should own the keys, related processes, and approval role?

The Responses:


You should definitely check out NIST Key Management Guideline:
http://www.linkedin.com/redirect?url=http%3A%2F%2Fcsrc%2Enist%2Egov%2Fgroups%2FST%2Ftoolkit%2Fkey_management%2Ehtml&urlhash=J9SW&_t=tracking_disc

Especially SP 800-57 Part 2, Recommendation for Key Management - Part 2: Best Practices for Key Management Organizations:
http://www.linkedin.com/redirect?url=http%3A%2F%2Fcsrc%2Enist%2Egov%2Fgroups%2FST%2Ftoolkit%2Fdocuments%2FSP800-57Part2April2005%2Epdf&urlhash=7bVc&_t=tracking_disc

And SP 800-57, Part 3 DRAFT Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance:
http://www.linkedin.com/redirect?url=http%3A%2F%2Fcsrc%2Enist%2Egov%2Fpublications%2Fdrafts%2F800-57-part3%2FDraft_SP800-57-Part3_Recommendationforkeymanagement%2Epdf&urlhash=vRs3&_t=tracking_disc

With regards to your questions: Detailed specification of controls really depend on the risk posture. I.e. it's very different for personal finance data and for nuclear arms control. Besides it's unrealistic to expect same techniques to work universally in different applications/platforms.

As for the user interface aspect of key management PGP is the gold standard:
http://www.linkedin.com/redirect?url=http%3A%2F%2Fwww%2Epgp%2Ecom%2Fproducts&urlhash=dceX&_t=tracking_disc

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)