"Associating Right Key With Right Data Is Important"

Suresh Vasudevan, SVP and GM, Networked Storage and Manageability Group, Network Appliances talks to Biztech2 about the importance of key management in data encryption.

In data encryption, how important is key management?

Let’s put it this way, encryption is about only as good as the associated key management system, simply because if you lose the keys that decrypt the data then it’s as good as lost.

Data encryption is an extremely effective means of securing information critical to an organisation’s business. It provides the all important data privacy in the events of data theft or data loss. However, that’s just one aspect of data protection. The second and perhaps the harder part is the management of encryption and decryption keys, secret codes that lock and unlock the data.

Today’s ever so stringent regulatory environment demands that some data be retained for extended periods of time. Also, the global and mobile nature of today’s businesses, the involvement of third parties in the storage workflows mean that the keys that encrypt and decrypt the data follow it wherever it goes. This can only be accomplished through an efficient key management.

More from Biztech

Future Group - Reliance Retail Deal approved by CCI RBI ban on cryptocurrencies takes effect; prohibition could force investors to tap the black market

What are some of the challenges as far as key management is concerned?

There is no doubt that encryption is the best possible way of ensuring data protection and increasingly more and more organisations are resorting to it. But greater the use of encryption, the more problems it creates for key management. Encryption tends to turn a data management problem into a key management challenge.

Hence it is no surprise that key management is often cited as a major operational issue when it comes to encryption. One of the issues is the manual way of managing keys. Estimates suggest that a good percentage of organisations still rely on manual processes to deal with key management. Even today processes such as generating new keys, importing existing keys to machines as they come on line and rolling-over keys are performed manually.

Geography and heterogeneous environments and the sheer scale of encryption tend to create major problems for key management. Managing and automating the creation and distribution of keys across disparate applications running on a large numbers of geographically dispersed devices is easier said than done.

When one talks about enterprise wide key management, processes such as key archival, recovery, and mobility are extremely important. But perhaps the most important aspect is associating the right keys with the right data. Organisations must ensure that wherever the data flows, the right key follows it because otherwise there’s no way to decrypt that data.

What are some of the common elements of an efficient key management system?

Well there are a number of elements that go into having an efficient key management system, but the most basic and probably the most important one is key lifecycle management. For a key management system to truly work there has to be a practice which manages the complete lifecycle of keys right from the time a key is generated, to the time it is deleted.

A key lifecycle usually includes, processes such as key generation, key distribution, key archival, key sharing, key recovery and key deletion.

Another crucial element is establishing a security policy and user authentication system. Having such a system in place is important because it can establish and enforce the criteria for managing the key lifecycle. A role based administration can be particularly useful here. It essentially means that only authorised individuals can access crucial key management resources and perform related tasks.

Besides this, it also helps to have an auditing process that keeps a tab on who did what and a constant monitoring and reporting can prevent deliberate or accidental key abuse instances.