Blog

Are You the Keymaster?

Sep 10, 2021

Juan C. Asenjo By Juan Asenjo, Ph.D., CISSP

 

If you grew up in the 80s, you will remember the line: “Are you the keymaster?” from the original Ghostbusters movie. In the film, a malevolent force takes hold of Louis Tully – played by none other than Rick Moranis – to turn him into the keymaster that enables evil spirits to overtake numerous sites in New York. Fast-forward to the real world in 2021, and while we have not seen ghosts overrun our cities, what we have seen is a rapid proliferation of bad actors trying to besiege the defenses of virtual machines (VMs) that perform critical functions across modern computing infrastructures. Widespread use of VM clusters processing sensitive information requires data at rest and workload security across on-premises, multi-cloud, and hybrid deployments to keep evildoers in check. In this blog, we’ll examine how the growing use of encryption across VMs and storage mediums has led to a dramatic increase in the volume of cryptographic keys that organizations must manage throughout their lifecycle. 

Today’s environment

As organizations’ computing needs grow, they typically look to future-proof operations and lower data storage costs through expanding use of virtualized environments. Businesses have also shifted capital to operational expense models through cloud migration, which has also delivered more flexibility. Multi-cloud and hybrid environments have provided the resilience and assurance that many seek as they transform their businesses. The transformation has been accompanied by a rapid growth in the use of encryption, and while this has been a welcomed development, it has left many organizations struggling to control the processes that underpin the security of their applications and data. The annual Global Encryption Trends Study conducted by the Ponemon Institute has been closely monitoring the adoption rate of encryption strategies across organizations over the past 15 years. The most recent study revealed that the application of consistent encryption policies by enterprises has steadily increased from just 15% in 2006 to 50% today, with no sign of slowing.

Importance of key management

So, what does the growth of encryption has to do with the keymaster? The rapid proliferation of encryption brings with it a corresponding increase in the volumes of keys that organizations must manage, and being a keymaster (in this sense) means being in control of those keys. However, the reality is that managing increasing volumes of keys can pose significant challenges for organizations, particularly when we are talking about numerous applications and deployment environments. 

Distributed keys often have no clear ownership or consistent management policy, creating risks for organizations. Encryption is only as good as the level of security given to the keys. Lose the keys – lose the data. Not knowing where your keys are or what kind of use policies you are applying to them, means that you can easily fail an audit, or worse, fall victim to a data breach that can have severe implications on your business. 

Encryption capabilities offered by virtualized datacenter environments and storage mediums can take advantage of centralized key management solutions to ensure greater control of the keys. Data encryption for these clusters protects sensitive information, often de-scoping the extent of regulatory audits and compliance requirements. Integrating a root of trust with hardware security modules (HSMs) further enhances security, delivering high quality/high entropy keys to endpoint applications and managing them throughout their lifecycle. Using the Key Management Interoperability Protocol (KMIP), an open standard for the handling of symmetric and asymmetric keys, compliant endpoint applications can be managed by the centralized key manager to reduce risks and facilitate compliance. 

Added Root of trust

Key management servers can integrate with HSMs to provide high assurance lifecycle management of keys. HSMs are hardened, tamper-resistant appliances that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data, and creating digital signatures and certificates. HSMs are generally tested and certified to security standards such as FIPS 140-2 and Common Criteria to enable organizations to meet established regulatory standards for cybersecurity, including GDPR, eIDAS, PCI DSS, HIPAA, and others. 

The effectiveness of any encryption strategy depends on the security given to the underpinning keys. As enterprises benefit from the economies and flexibility of VMs and cloud services, they also need to strengthen the security of their key management practices to gain greater control. Achieving this across a hybrid and multi-cloud environment is even more important to ensure consistent policy enforcement and to facilitate security audits and regulatory compliance. HSMs offer robust security to ensure that data protection mechanisms can be trusted. 

Way forward

With the right key management tools, you don’t have to be afraid of ghostly keys dispersed across your applications. HSMs can help ensure the security of your organization’s most sensitive workloads and data, establishing a robust root of trust so you can use VMs and cloud services – and transform your business with confidence. 

While malicious actors can plague today’s IT environment, so far it remains free of paranormal activity. However, protecting your critical keys should be top of mind.