ENTERPRISE KEY MANAGEMENT
THE KEY TO PUBLIC SECTOR DATA SECURITY
Industry Perspective
Encrypting data at rest is a minimum standard of care for federal agencies protecting personal and other sensitive data. Enterprise key management with automated policy enforcement is needed to secure encryption keys over the life of the data.
EXECUTIVE SUMMARY Organizations across both the private and public sectors are being required to protect their sensitive information from threats that include unauthorized insider access, accidental disclosure and theft by a range of hostile outsiders. Government agencies, which collect, maintain and store large amounts of sensitive and personally identifiable information (PII) about people, programs and activities, are facing particular challenges. The data not only is valuable to the agency but is also a high-value target for thieves, including criminals and nation-states. According to the 2016 Data Breach QuickView report, more than 255 million records were exposed during government data breaches in 2016. Data must be protected in all of its states: at rest, in transit and in use. Encryption is a primary tool in ensuring that this valuable resource is completely protected. Because data must be accessible, data-at-rest is decrypted when delivered in response to a database query or application call. If steps are not taken to protect it while being transmitted and while in use, it can be subject to theft or manipulation once it leaves the storage medium. But encryption at rest is a necessary part of a security solution and many privacy regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), require encryption of data while in storage as a best practice. In this industry perspective, created in partnership with HPE, Chip Charitat, Senior Solutions Architect at HPE Data Security, explains that encrypting data-at-rest is a minimum standard of care for protecting sensitive data, and that effective encryption requires secure enterprise key management practices with automated policy enforcement that can scale with the enterprise. An encryption scheme is only as strong as its key management. The keys, which are used to encrypt and decrypt data, must be managed throughout the data lifecycle, made available to legitimate users of the data and must be protected from malicious insiders as well as outside attackers. Key management solutions need to match the organization’s structure — small or large, centralized or distributed — its security assurance levels, and its operational needs. Management can be done locally, remotely or centralized. But whatever solution is used, it must be able to scale with the enterprise. Automating key management is the only practical enterprise-wide solution.
Industry Perspective
•
1
THE KEY TO SECURITY In theory, encrypting data at rest is simple.
locally in a single location can be lost if the
an enterprise that contains thousands of
A key is used with an encryption algorithm
device is lost, stolen or compromised, or
devices and millions of pieces of media to
to scramble data while in storage, making
if the data is accidently deleted or erased.
be protected.
it unreadable until the key is used to
Conversely, anyone with access to the keys
decrypt it. Strong algorithms are available
can access the data.
“Key management should be automated as much as possible to mitigate risks
that make it impossible or impractical to decrypt the data without the key. It is the
Keys must be stored securely so they can
associated with manual approaches,”
key that complicates things.
be protected but can also be used. They
Charitat said. Agencies must decide on
must be kept track of so that they can be
a key management strategy that meets
“The challenge lies in the management
delivered when needed, and they must be
operational and security requirements.
of the keys,” Charitat said. “If you lose
discarded and replaced when necessary.
the keys, you lose the data.” Keys stored
These tasks quickly become complex in
AN ENCRYPTION KEY LIFECYCLE An encryption key goes through a number
key could be reactivated or deactivated.
centralized view lets agencies achieve
of possible stages during its lifecycle. It
When thousands or even millions of
economies of scale and helps ensure policy
must be created, used, possibly changed
keys are being managed throughout the
and regulatory compliance. Enterprise
and eventually disposed of.
lifecycle stages it can quickly become
secure key management, in which keys
overwhelming. An agency might want to
are managed centrally across the entire
The National Institute of Standards and
simplify the process by managing keys
lifecycle through a single pane of glass,
Technology identifies the stages as: pre-
locally with each encryption application or
provides this visibility and reduces the risk
activation, active, suspended, deactivated,
device. But this can become unwieldy and
of keys being compromised locally. It is
compromised, destroyed, destroyed
undependable, and there is risk in locating
more economical, provides high-assurance
compromised and revoked. Each key is
keys with the application. Any compromise
security with hardened appliances for
used differently and might not go through
to the application puts the keys at risk.
policy enforcement and lends itself to automation.
each of these stages. For example, not
2
every key will be compromised. And keys
As agencies grow in complexity and adopt
can pass through different stages of their
encryption across a greater portion of the
“The more you can automate, the better off
lifecycles in different orders. A key might go
enterprise, they need to move beyond
you are,” Charitat said.
from being active directly to deactivated, or
local key management. The visibility
it might be suspended. And a suspended
into security controls offered by a single
•
Enterprise Key Management: The Key to Public Sector Data Security
AUTOMATED KEY MANAGEMENT Automation becomes increasingly
management can create staffing problems
an audit trail to document all actions taken
desirable or necessary with the scale of the
as the number of man hours needed for
over time. Being able to audit a process
implementation. Even a modest enterprise
the job increases. Personnel turnover
does not by itself provide security, but it is
can have thousands of devices containing
can become an issue when institutional
needed to demonstrate compliance with
protected data. With multiple media on
knowledge is lost with retiring employees.
regulatory requirements.
each device and the number of stages
The Government Accountability Office
through which each key must be managed,
reported that by September 2017, almost
Because of issues of complexity, manpower
the complexity can grow by an order of
600,000 federal workers, or about 31
and regulatory requirements, even
magnitude with the addition of each new
percent of the workforce, will be eligible
modest-sized agencies should consider
device. This can quickly outstrip the ability
to retire. For security and audit reasons,
automating their key management.
to do the job manually.
keys sometimes are required by regulation to be managed in hardware. Automated
Complexity is not the only factor that
hardened appliances can provide
makes automation desirable. When
better security and ensure that all key
handled manually, the task of key
management activities are logged, creating
“It is not sufficient to just say that you protect your data,” Charitat said. “There needs to be proof that you’ve done so.”
Industry Perspective
•
3
THE ANSWER: A SCALABLE KEY MANAGEMENT SOLUTION With encryption of data at rest a minimum standard for privacy
ESKM is validated by an independent lab as a secure server
and security requirements, a scalable key management solution
appliance. Capabilities include high-availability clustering and
is needed to provide centralized management and automated
failover, secure key database, key generation and retrieval
policy enforcement over the life of the data. This is the only way
services, identity and access management for administrators and
agencies can ensure that keys remain secure yet accessible and
encryption devices, secure backup and recovery, local Certificate
demonstrate that keys have been managed under verifiable
Authority and signed audit logging.
security controls to meet regulatory requirements. The HPE enterprise vision is focused on protecting sensitive data
HPE ESKM’s strong encryption key management helps protect
wherever it lives and moves in the enterprise, from servers to
all of the sensitive information in your storage, including financial and payment cardholder data, employee records, electronic
storage and cloud services. HPE’s Enterprise Secure
health records, intellectual property and cloud-hosted
Key Manager (ESKM) provides a centralized,
data, as well as national security and defense
hardware-based key management solution
information. When you encrypt data and take
that meets these requirements.
advantage of ESKM key management with strong ESKM is a complete turnkey solution for
access controls and reliable, verifiable security,
generating and managing keys by unifying
you ensure continuous and appropriate
and automating encryption controls. With it,
availability of keys while supporting audit and
encryption keys can be securely served and
compliance requirements. The result is reduced administrative costs, less human error, fewer
controlled, and access to keys can be audited
policy failures and less risk of data breaches and
with enterprise-class security, scalability,
business interruptions. Because data can remain
reliability and availability. This helps agencies
securely encrypted even after disposal, it also minimizes
maintain operational continuity regardless of the scale and complexity of their encryption program.
dependence on costly media sanitization and destruction services.
ESKM scales easily to support enterprise-wide encryption
ESKM helps ensure agency compliance with regulatory audits
across multiple geographically distributed data centers, tens of
for industry standards such as the Payment Card Industry Data
thousands of encryption clients and millions of keys.
Security Standard; and for government standards including the Health Insurance Portability and Accountability Act (HIPAA), the
The solution is compliant with the OASIS Key Management
Health Information Technology for Economic and Clinical Health
Interoperability Protocol (KMIP) versions 1.0 through 1.3, and
(HITECH), the Graham Leach Bliley Act (GLBA) and Sarbanes-Oxley
supports key management needs within storage, cloud and big
(SOX). It also supports compliance with state and international
data solutions. This gives users greater choice of data protection
privacy laws, national security regulations and internal policies,
applications and solutions so that they are not locked in to a single
controls and audits.
vendor. A client Software Development Kit (SDK) is available so that customers can enable native protocol ESKM integrations.
4
•
Enterprise Key Management: The Key to Public Sector Data Security
CONCLUSION As agencies protect their data through its entire lifecycle, strong scalable encryption for data at rest is the starting point for achieving the minimum level of care required for data security. Regardless of the size and complexity of the enterprise, there is no need to wait to take advantage of the encryption capabilities of your servers and storage.
About HPE
Centralized key management can provide the high-assurance security of hardened appliances for automated policy enforcement, providing greater economy and reliability. These outcomes can help to make publicsector data security stronger and more efficient.
About TSPi
About GovLoop
Hewlett Packard Enterprise is an industry-
Technology Solutions Providers, Inc.
GovLoop’s mission is to “connect
leading technology company that enables
(TSPi) is a certified Small Disadvantaged
government to improve government.” We
customers to go further, faster. With the
Business providing performance driven
aim to inspire public-sector professionals
industry’s most comprehensive portfolio,
end-to-end IT solutions to federal
by serving as the knowledge network
spanning the cloud to the data center to
government customers. For over 15
for government. GovLoop connects
workplace applications, our technology
years, our business model, as well as our
more than 250,000 members, fostering
and services help customers around
key to success, is based upon maintaining
cross-government collaboration, solving
the world make IT more efficient, more
long-lasting relationships by delivering
common problems and advancing
productive and more secure
performance-driven results.
government careers. GovLoop is
www.hpe.com | @HPE
Our federal government customers
a team of dedicated professionals who
can readily attest to our in-house
share a commitment to connect and
expertise, commitment to quality,
improve government.
headquartered in Washington, D.C., with
reliability, and exceptional performance. TSPi is Capability Maturity Model
For more information about this report,
Integration (CMMI) Level 3 appraised
please reach out to info@govloop.com.
and International Organization for Standardization (ISO) 9000, 20000 and 27000 certified.
Industry Perspective
•
5
1152 15th St. NW, Suite 800 Washington, DC 20005 (202) 407-7421 F: (202) 407-7501 www.govloop.com @govloop