Encryption Key Management – understanding and mitigating your risks (G22a)
From its humble beginnings storing keys for encrypted data stored on disk and tape, encryption key management has come a long way with the availability of a stable and widely used industry standard providing interoperability between systems using encryption keys and other objects. As the scope and level of detail of the security objects under management has increased, so too has our ability to understand and quantify the risks we face in securing an enterprise’s data and infrastructure.
In practical terms, we now have the ability to understand the “blast radius†of a breach or the systemic compromise of a given encryption key or algorithm type. In practical terms, if say the AES256 algorithm was to be broken, a well implemented encryption key management system gives us the ability to isolate the data and infrastructure reliant on that that algorithm, isolate and then rekey with an alternative, or at the very least, ensure that the mitigation efforts can be targeted so as to protect the enterprise without shutting it down completely.
With the threats presented by quantum computers, the likelihood of needing to isolate the impact brought by the compromise of a particular algorithm or key size is growing. Understanding how to best mitigate this threat and ensure business continuity becomes critical and drastically increases the need for cryptographic agility – a capability also delivered through the leading industry standard.
This presentation will cover a very brief history of key management and its evolution to meet today’s enterprise security requirements before moving to a detailed exploration of the features of the KMIP (Key Management Interoperability Protocol) standard in the context of quantifying and mitigating security risks across the enterprise. With these features covered the session will then move onto application of the concepts using specific implementation examples to illustrate the key points and provide attendees with techniques that can be applied immediately. The presentation will then move to close, providing details of availability of relevant information sources and methods to provide industry requirements to OASIS, the standards organization responsible for the publication of KMIP.