Encryption key management is one of the most important “basics” for an organization dealing with security and privacy protection.  Major data losses and regulatory compliance requirements have prompted a dramatic increase in the use of encryption within corporate data centers.

By including encryption key management with other security measures, companies can administer the tasks involved with protecting, storing, backing-up, and organizing encryption keys. This is necessary to address relevant challenges that companies face, including:

–  Several different, and possibly incompatible, encryption tools will be used unknowingly, resulting in thousands of encryption keys — each of which must be securely stored, protected, and retrievable in a reliable fashion.

–  Confidential data resides in hundreds of places throughout an organization, resulting in a high demand for effective, practical, automated, and risk-mitigating ways to manage keys throughout their life-cycle so “good guys” have access and “bad guys” do not.

Encryption is difficult for companies to perform on their own, as is the associated encryption key management.  Keys grow exponentially as companies manage the data encryption life-cycle.

If not managed properly, a new problem emerges:  how to control and protect access to the keys to ensure they don’t get into the wrong hands, and that they are available when needed — today and in the future.

Consider the following two-step process to manage data security risk while complying with regulatory requirements, from Gary Palgon’s, “8 Best Practices for Encryption Key Management and Data Security”:

Step #1 – Eliminate as much collection and storage of sensitive data as possible — if you don’t really need it, get rid of it.

Step #2 – Encrypt, hash, or mask the remaining sensitive data at rest and in transit.

“Encryption has become an increasingly important weapon in the security arsenal for data at rest in databases, files, and applications and for data in transit.  Encryption is a perfect companion to strong perimeter and firewall protection.  It is also one of the most important ways to protect against internal threats, which some estimate put as high as 73 percent of all breaches.  Your firewall and perimeter security can’t protect you from the folks inside the fort, but encryption can”, says Palgon.

Palgon specifies eight best practices in encryption key management and data security, including:

1.  Decentralize encryption and decryption.  One critical issue in designing a data protection plan is whether encryption and decryption will take place locally and be distributed throughout the enterprise, or will be performed at a central location on a single-purpose encryption server.  If encryption and decryption are distributed, the key manager must provide for the secure distribution and management of keys.  Click HERE to continue reading.

2.  Centralize key management with distributed execution.  A solution that employs a hub-and-spoke architecture for distributed key management allows encryption and decryption nodes to exist at any point within the enterprise network.  Spoke key-management components are easily deployed to those nodes and integrated with the local encryption applications.  Once the spoke components are active, all encryption and decryption of the formerly clear text data is performed locally to minimize the risk of a network or single component failure having a large impact on overall data security.  Click HERE to continue reading.

If you are interested in how IRI FieldShield, CellShield or DarkShield users manage encryption keys in structured, semi-structured, and unstructured data masking operations, click HERE.