One of the biggest and most over looked security issues in the cryptographic estate is Key Management. A comprehensive audit of encryption keys including their locations, owners, key size, expiry date and other pertinent information is often missing in many organizations.
Our senior consultant (Steve Monti) was responsible for rolling out key management and provisioning tools for one of the largest banks in the world. We learnt a lot about the best tools on the market and the most effective way to achieve a fully managed key environment.
In some large organizations (including large banks) there is often confusion regarding who is responsible for key renewal, for example: is it the application owner or the department that provisions the keys that takes responsibility? Confusion often arises when somebody has to be accountable for expired certificates which have led to downtime and outages and the inevitable loss of revenue.
If certificates and keys are not renewed and replaced before they expire, this can cause serious downtime and outages, Regulations like PCI-DSS, demand stringent security of cryptographic keys and in large estates this is very difficult without a fully managed key managed environment. Proper segregation of duties is also another requirement, the reasons for having proper key management is very long and the implications for a poorly managed certificate estate can be very serious.
So, if you’re interested in evaluating (or deploying) some of the leading key management systems like: Venafi Encryption Director, SafeNet KeySecure, Thales e-Security keyAuthority, HP Enterprise Secure Key Manager (ESKM), IBM Tivoli Key Lifecycle Manager (TKLM), and EMC’s RSA Data Protection Manager (DPM).
We would be pleased to give you the benefit of our vendor neutral experience.