Data security is one of major concerns of enterprises of all sizes, whether they are running their systems in cloud or not. The proliferation of variety of technologies and systems to take care data encryption at rest or in the flight have sprung over the years. Most of these technologies depend on using encryption keys to encrypt and decrypt data. Technologies such HTTP, SSH are all dependent on this. Many organizations also use security certificates as well, stronger password policies are also incorporated.
The usage of security keys is on the rise. Enterprises are now involved managing these keys securely. Key management for enterprises is a certainly an acknowledged problem due to increasing usage of security keys in applications, with no ability to safely store them. Modern enterprise applications are built to use encryption keys (such as SSH keys) for authentication. Systems modules keep them in configuration files or key files to use them. The approaches in both the above cases tend to store them insecurely on their devices causing threat. If they are stored in secure vault, and used, the threat is reduced drastically. Large enterprises having multiple departments, using multiple applications where security keys are used, feel the need managing them in a better ways for security, cost, and compliance perspective. To avoid fragmented key management in the enterprise by bringing consistent and standard ways of managing. This also can bring cost benefit.
There are multiple providers out there in the market addressing this void. The organizations such as CyberArk, Password Manager Pro are some examples. These providers allow enterprises to store the keys in secure vaults include specialized hardware based vaults called Hardware Storage Modules(HSM).
Due to the trend, which is seen since last few years, to move enterprise ecosystems on to the cloud, the enterprises face this issue on cloud too. Recognizing this, cloud providers also have started adding this feature to their kitty. Popular cloud service providers such as AWS and Azure already have these on their services list.
Some of the features such key management systems provide can be:
- Highly secure vaults for storing keys
- They are maintained in highly available environment, allowing high speed access(preferably HSMs)
- Key lifecycle management is supported. Ability to create keys or bring in keys into vault, define key rotation policies, create usage policies
- Need to support both private (symmetric) and public (asymmetric) keys.
- Comprehensive ReST APIs are required for integrating customer applications which are fault-tolerant, highly available API servers
- Integration with security information and event management (SIEM) systems
- Audit log, report on access and usage of keys
- Need a portal interface to administer keys, define policies etc
- Integration with SSO or LDAP systems.
Feel free to share your experiences with key management systems on this.