• Crypto Management: An Introduction to Data and Key Security

    A Crypto Foundation is a centralized approach taken to secure different types of data in multiple environments, combined with the management and maintenance of keys and crypto resources. In order to provide the consolidation, protection and flexibility that today's business environment demands, a data protection strategy should incorporate four key areas. The concentration levels of each area will depend on existing infrastructure, compliance mandates, and the four V's: Value, Volume, Variety and Velocity.

    Watch the Crypto Foundation VideoRead the Crypto Foundation Guidebook


    • Crypto Processing and Acceleration

      Identify sensitive data and determine the level of encryption required. Consider all of the various threats that apply to data at different points within the lifecycle and ensure crypto operations have appropriate offloading and acceleration to avoid processing bottlenecks.


      more
    • Key Storage

      The requirements of your use case(s) and environment will determine the keys’ roles and ultimately how they are stored and protected. Organizations have the option of storing their keys within hardware or software.


      more
    • Key Lifecycle Management

      There must be an integrated approach around generating, storing, distributing, rotating, revoking, suspending and terminating keys for devices and applications. A centralized management platform will perform all key-related tasks and tie back to other systems or HSMs.


      more
    • Crypto Resource Management

      In order to ensure consistent policy enforcement, provide transparency, and maintain the health of your system, every organization should have one, easy-to-use interface to configure policies, monitor and report and provision all cryptographic resources.


      more

    Make sure that cipher/algorithms are comparable with current industry standards and widely used, as the classification of ‘strong’ cryptographic algorithms can change over time. Next, establish key lengths with the right combination of protection and flexibility. SafeNet’s suite of encryption solutions enables you to protect and control sensitive data as it expands in volume, type and location, from the data center to virtual environments and the cloud.

    Look at current workflows and applications. Where will encryption and decryption take place? Depending on where you want encryption to run, and the velocity, you may need to consider incorporating high-speed cryptographic processors. SafeNet can provide a variety of solutions for offloading cryptographic processes from application servers to dedicated hardware.

    For keys that are trusted to protect highly sensitive data and applications, a centralized, hardware-based approach to key storage is recommended. Nothing ever enters or leaves the tamper-resistant vault so keys are more isolated from traditional network attacks and should the hardware security module (HSM) become compromised, the keys will zero out. All SafeNet HSMs have been through stringent third-party testing against publically documented standards.

    Some use cases will require cryptographic keys to exist within close proximity to the data and applications they secure. Organizations trying to encrypt mass amounts of smaller segments of data, requiring high availability and usage may gravitate toward a distributed key storage model. This model accommodates for unlimited transactions and large amounts of keys. SafeNet KeySecure together with the Crypto Operations Pack encrypts structured or unstructured sensitive data, and provides access to leading key management interoperability protocol (KMIP) supporting appliances – all in one centralized platform.

    An organization warranting high volume, velocity and variety of keys, might consider investing in a system that specializes exclusively on key management duties.

    • Generation - Ensure the key strength matches the sensitivity of the data. The length of the key, algorithm used, and the randomness of the key material are the main factors to consider in this area.
    • Distribution - A key must be associated with a particular user, system, application or policy. The association will determine the requirements to secure the key, and the method used to secure it while in transit. The ability to differentiate access between the administrator creating the key and the person using it is vital.
    • Storing - Organizations have the option of storing their keys within hardware or software.
    • Rotation - Each key should be designated a lifespan with the ability to change that key on demand. Limit the amount of data encrypted with a single key because using the same key over a long duration of time increases the chances of a compromise.
    • Revocation - Every organization needs the ability to revoke, destroy or take keys offline. Backup copies of cryptographic keys should be kept in a storage mechanism that is at least as secure as the original store.

    SafeNet KeySecure is available as a hardware appliance or hardened virtual security appliance.

    With SafeNet Crypto Command Center, security administrators can create a centralized pool of high assurance cryptographic resources that can be provisioned out to the people and lines of business in their organization that need them.

    Consistency policy enforcement requires the ability to provision and de-provision cryptographic resources, automate client provisioning, and create multi-tenant, tiered security administrator access levels.

    First, determine how many keys can be generated, and where they are stored. Continue to update variables in the system, such as back-up networks and users. Next, establish a policy for key usage, defining application and device access levels and to what extent they can perform.

    Lastly, secure, automated and unified logging and reporting are absolutely crucial to maintain requisite risk and compliance posture. Key ownership must also be clearly defined, and all modifications recorded and securely stored in order to provide an authentic and trusted audit trail of key state changes.


  • Want Guidance?

    Read the Crypto Foundation Guidebook

    Learn the need-to-knows about crypto management from our comprehensive guidebook, covering in depth each of the four essential Crypto Foundation elements – crypto processing and acceleration, key storage, key lifecycle management, and crypto resource management – and outlining uses cases to consider.

    Get the book

    Watch & Learn

    Hear from a Crypto Management expert

    Join Mark Yakabuski, Gemalto’s VP of Product Management, Crypto Management, for this on-demand webinar, as he discusses today’s cyber security landscape alongside real world use cases. Learn how to build and manage a secure and flexible crypto foundation in on-premise, hybrid, and cloud environments.

    Watch the webinar