High-assurance key protection
Aligning your key management strategy with your protection requirements
Economically dial-up your level of key protection to align with your specific requirements. Cost effective key protection options that make it easy to comply with industry best practice guidelines.
Encryption Key Protection
Question?: Does Randtronics DPM enterprise encryption management platform provide high-assurance key management:
- short answer – ‘yes of course, we are in the encryption management business after all’
- The fuller answer turns out to be longer since we first need to unpack what high-assurance key management really means in the context of different industry and application requirements.
Before diving into details the essence of the Randtronics DSM high-assurance key management solution boils down to three components:
- Every Randtronics DPM encryption product by default is designed to address the majority of best practice key management guidelines without the need for specialist hardware or user having to do anything.
- Where the user has an industry requirement to protect keys in specialist hardware, Randtronics DPM enables customers to increase their ROI on their hardware by making more effective and efficient use of these specialist assets.
- Given our focus on enterprise encryption (i.e. encrypting everything) our platform simplifies the process of ensuring all of your encryption keys are protected to the level you deem appropriate to address your business requirements
For customers not content with the digital version of storing house keys under the back doormat. Randtronics offers three options for high-assurance encryption key management:
- DPM easyCipher (standalone). DPM easyCipher is our centrally managed Transparent Data Encryption (TDE) product. Encryption keys are held separately from data, to minimize performance overhead keys are securely distributed and cached but never store locally.
- DPM easyCipher and DPM easyKey. DPM easyKey is our Key Management System. DPM easyKey extends DPM easyCipher’s internal key management capabilities to add centrally managed policy-based lifecycle key management and the ability for the user to separate the role of data privacy (encryption policy administration) from key management.
- DPM easyKey and multivendor HSM. For customers with a legislated or industry-body requirement to protect encryption keys in Hardware Security Modules, DPM easyKey makes it easy to harness HSM resources from multiple vendors (side by side). Reducing the pressure of vendor lock-in, and reducing the requirement to maintain specialist skills.
Option A. DPM easyCipher (standalone)
DPM easyCipher provides transparent data encryption for databases, web/app servers, file servers, NAS storage and end-devices.
Data policies and encryption keys are managed centrally providing enterprise-wide control of sensitive data.
DPM agent installed on end-point-device mediates all access to secured folders and prevents access from any non-whitelisted user or application.
DPM easyCipher high-assurance key management
- Encryption keys are generated and stored within the easyCipher manager.
- All communications between easyCipher Agents and Manager occur over a secured channel.
- Encryption keys cached within the easyCipher Agent to accelerate performance are never stored locally
Option B. DPM easyCipher and DPM easyKey
DPM easyKey is a key-management system that provides policy-based lifecycle key management.
When deployed with DPM easyCipher, DPM easyKey provides the tools for organizations to centrally define key management policies:
- what – what type (algorithm, length) of key to use
- who – which client can access keys
- how – key generated in software (within easyKey manager) or in hardware
- when – when does the key expire
DPM easyCipher + DPM easyKey high-assurance key management
- Encryption keys are generated and stored within the easyKey manager.
- All communications between easyCipher and easyKey Manager occur over a secured channel.
- Encryption keys cached within the easyCipher Agent to accelerate performance are never stored locally
- Policy-based lifecycle-key management via an easy-to-use central platform
Option C. DPM easyKey and Multivendor HSM
DPM easyKey integrates with an FIPS compliant Hardware Security Module.
Provides users the option of storing master keys within HSM and thus strengthening the entropy and protection of subordinate (daughters) keys which are encrypted with the HSM-based master key)
DPM easyCipher + easyKey + Multivendor HSM high-assurance key management
- Master key is generated and stored within a HSM managed by easyKey (user has option to mix’n’match HSMs from different vendors)
- Daughter encryption keys are generated and stored within the easyKey manager (protected using the Master key).
- All communications between easyCipher Agents, easyCipher Manager, easyKey and HSM occur over secured channels.
- Encryption keys cached within the easyCipher Agent to accelerate performance are never stored locally
- easyKey isolates HSM from transaction processing, hence reducing need to upgrade HSM to handle larger processing loads.
What does High-Assurance Key Management Really Mean?
There is a corner of the world where technology vendors scrap it out over bragging rights for having the most physically secure encryption key management platform.
Being a software company, our perspective is that an effective key protection strategy is one that:
a) Complies with generally accepted best practice guidelines for good encryption key management housekeeping that are common across a wide range of standards and is increasingly being legislated into Data Privacy legislation (see side bar on Encryption Key Protection 101),
b) Addresses any industry specific requirements key protection for example the PCI/DSS standards of the Card Payment Industry that required encryption keys securing card holder data to themselves be protected using Hardware Security Modules that meet the requirements of FIPS Level 2/3, and finally
c) Allows an organization to deliver key protection services to the whole enterprise in an efficiently and economic manner.
Whilst these principles may seem obvious we find that some customers get confused when it comes down to understanding the details of how and where keys are stored and the hierarchy of trust that underpins Transparent Data Encryption (TDE) solutions both native database TDE products and Randtronics own DPM platform.
How does Randtronics DPM simplify high-assurance key management?
#Masterkey101 If we consider a database administrator (DBA) setting up new database. For sake of argument we will assume they have the choice of using a native TDE option provided by their database vendor or Randtronics DPM and that the database is going to store Payment Card details and thus needs to comply with PCI/DSS standards.
For readers unfamiliar with Master Keys and Trust Hierarchy (see sidebar Master Keys and Trust Hierarchy)
Scenario 1 – Native TDE
Our DBA needs to make choices
– where is the keystore going to be located. By default it resides on the database server, however best practice guidelines recommend that keys and data are physically separated. For some database products this feature requires an additional license
– How is the master key going to be stored. Database is going to hold Payment Card details so the database master key needs to be stored in an HSM. Our DBA now has to talk to the HSM administrator to organize Master Key storage
– how often are keys going to be rotated — need to set a date in the calendar to perform a manual key rotation.
If our DBA now wants to set up another Database using a different database product, then its back to the manuals as the process and licensing will be different.
Scenario 2 – Randtronics DPM
In contrast to Scenario, the DBA doesn’t have to think about where keys are stored. The Randtronics DPM TDE solution has best practice guidelines baked-in. All our DBA needs to do is to install the DPM easyCipher Agent on the database server and point the Agent to a pre-defined policy set up for Payment Card data if one exists, or request that the data privacy team create one for use across the organization.
The one-time exercise for the data privacy team is to set up a single policy within DPM easyKey that specifies Master Key storage on a FIPS Level 2/3 compliant HSM and second, create a data privacy policy within DPM easyCipher that points to the Payment Card easyKey policy.
Now when our DBA needs to set up another Database using a different database product — the process is exactly the same.
Encryption Key Protection 101
Day 1 of your cybersecurity career you learn that encryption protection uses keys and that those keys need to kept safe.
The importance of good practice encryption key management are explicitly defined in major IT Security guidelines, well known examples include:
- US Federal Government: National Institute of Standards and Technology (NIST) Special Publication 800-57:
- International Organization for Standardization (ISO) ISO/IEC 11770,
- Payment Card Industry Data Security Standard (PCI DSS)
- US Health Industry, HIPAA/HITECH ACT
The superset of good practice guidelines that we see most commonly are:
a) Keys should be well protected (obvious really)
b) Keys should be stored separately from data (i.e. on different devices)
c) Keys should be rotated periodically
d) Expired keys should be deleted at end-of-life
Master Keys and Trust Hierarchy
Transparent Data Encryption systems has a hierarchy of encryption keys that together comprise a trust hierarchy. One key sits at the head of this hierarchy and establishes a root-of-trust that flows down to ‘daughter keys’ that are themselves encrypted by the keys above them in the hierarchy.
Defining terms:
– The master key protects the database encryption keys (DEKs).
– The database encryption keys (DEKs) are used to encrypt the actual data in the database.
– The master key is further protected by encryption using a certificate or an asymmetric key.
– In some Database Management Systems (DBMSs), the Service Master Key (SMK) protects the master key.
- Master Key: The master key is created and managed by the database management system (DBMS) or a key management system (KMS) integrated with the DBMS. It serves as the root key in the TDE hierarchy and is used to encrypt the database encryption keys.
- Database Encryption Key (DEK): Each database protected by TDE has its own unique database encryption key. The DEK is a symmetric key that is generated within the DBMS and used to encrypt the actual data in the database files. The DEK is stored in the database metadata.
- Certificate or Asymmetric Key: To protect the master key, it is typically encrypted using either a certificate or an asymmetric key. This provides an additional layer of security by ensuring that only authorized entities with the corresponding certificate or asymmetric key can access or decrypt the master key.
- Service Master Key: In some DBMSs, such as Microsoft SQL Server, there is a Service Master Key (SMK) that is automatically generated during installation. The SMK is used to protect the master key and is itself encrypted using the machine’s Windows Data Protection API (DPAPI) key, which is tied to the specific machine.
Latest news and articles
Why Traditional Defenses Are No Longer Enough to Protect Your Data
Many businesses continue to rely heavily on traditional security measures like firewalls, antivirus programs, physical security, auditing, and access controls to safeguard their data. While
The Importance of Encryption in Today’s Cybersecurity Landscape
Cyber threats are constantly evolving, and traditional defenses like firewalls and antivirus software are no longer enough to fully protect your business. While these tools
Wide-ranging attacks against Barracuda appliances linked to China
This week the news broke that Mandiant (an incident response firm) attributed the recent cyberattack campaign targeting customers utilizing Barracuda’s Email Security Gateway to hackers