Search
Close this search box.
Randtronics Logo

High-assurance key protection

Aligning your key management strategy with your protection requirements

Economically dial-up your level of key protection to align with your specific requirements. Cost effective key protection options that make it easy to comply with industry best practice guidelines.

Encryption Key Protection

Question?: Does Randtronics DPM enterprise encryption management platform provide high-assurance key management:

  • short answer – ‘yes of course, we are in the encryption management business after all’
  • The fuller answer turns out to be longer since we first need to unpack what high-assurance key management really means in the context of different industry and application requirements.
 

Before diving into details the essence of the Randtronics DSM high-assurance key management solution boils down to three components:

  1. Every Randtronics DPM encryption product by default is designed to address the majority of best practice key management guidelines without the need for specialist hardware or user having to do anything.
  2. Where the user has an industry requirement to protect keys in specialist hardware,  Randtronics DPM enables customers to increase their ROI on their hardware by making more effective and efficient use of these specialist assets.
  3. Given our focus on enterprise encryption (i.e. encrypting everything) our platform simplifies the process of ensuring all of your encryption keys are protected to the level you deem appropriate to address your business requirements

For customers not content with the digital version of storing house keys under the back doormat.   Randtronics offers three options for high-assurance encryption key management

  1. DPM easyCipher (standalone).    DPM easyCipher is our centrally managed Transparent Data Encryption (TDE) product.  Encryption keys are held separately from data,  to minimize performance overhead keys are securely distributed and cached but never store locally.
  2. DPM easyCipher and DPM easyKey.   DPM easyKey is our Key Management System. DPM easyKey extends DPM easyCipher’s internal key management capabilities to add centrally managed policy-based lifecycle key management and the ability for the user to separate the role of data privacy (encryption policy administration) from key management.
  3. DPM easyKey and multivendor HSM.  For customers with a legislated or industry-body requirement to protect encryption keys in Hardware Security Modules, DPM easyKey makes it easy to harness HSM resources from multiple vendors (side by side).  Reducing the pressure of vendor lock-in, and reducing the requirement to maintain specialist skills.

Option A. DPM easyCipher (standalone)

DPM easyCipher provides transparent data encryption for databases, web/app servers, file servers, NAS storage and end-devices.

Data policies and encryption keys are managed centrally providing enterprise-wide control of sensitive data.

DPM agent installed on end-point-device mediates all access to secured folders and prevents access from any non-whitelisted user or application.

DPM easyCipher high-assurance key management

  • Encryption keys are generated and stored within the easyCipher manager.  
  • All communications between easyCipher Agents and Manager occur over a secured channel.
  • Encryption keys cached within the easyCipher Agent to accelerate performance are never stored locally

Option B. DPM easyCipher and DPM easyKey

DPM easyKey is a key-management system that provides policy-based lifecycle key management.

When deployed with DPM easyCipher,  DPM easyKey provides the tools for organizations to centrally define key management policies:

  • what – what type (algorithm, length) of key to use 
  • who – which client can access keys
  • how – key generated in software (within easyKey manager) or in hardware
  • when – when does the key expire
 

DPM easyCipher + DPM easyKey high-assurance key management

  • Encryption keys are generated and stored within the easyKey manager.  
  • All communications between easyCipher and easyKey Manager occur over a secured channel.
  • Encryption keys cached within the easyCipher Agent to accelerate performance are never stored locally
  • Policy-based lifecycle-key management via an easy-to-use central platform

Option C. DPM easyKey and Multivendor HSM

DPM easyKey integrates with an FIPS compliant Hardware Security Module.

Provides users the option of storing master keys within HSM and thus strengthening the entropy and protection of subordinate (daughters) keys which are encrypted with the HSM-based master key)  

DPM easyCipher + easyKey + Multivendor HSM high-assurance key management

  • Master key is generated and stored within a HSM managed by easyKey (user has option to mix’n’match HSMs from different vendors)
  • Daughter encryption keys are generated and stored within the easyKey manager (protected using the Master key).  
  • All communications between easyCipher Agents, easyCipher Manager, easyKey and HSM occur over secured channels.
  • Encryption keys cached within the easyCipher Agent to accelerate performance are never stored locally
  • easyKey isolates HSM from transaction processing,   hence reducing  need to upgrade HSM to handle larger processing loads.  

What does High-Assurance Key Management Really Mean?

There is a corner of the world where technology vendors scrap it out over  bragging rights for having the most physically secure encryption key management platform.

Being a software company,  our perspective is that an effective key protection strategy is one that:

a) Complies with generally accepted best practice guidelines for good encryption key management housekeeping that are common across a wide range of standards and is increasingly being legislated into Data Privacy legislation (see side bar on Encryption Key Protection 101),

b) Addresses any industry specific requirements key protection for example the PCI/DSS standards of the Card Payment Industry that required encryption keys securing card holder data to themselves be protected using Hardware Security Modules that meet the requirements of FIPS Level 2/3, and finally

c) Allows an organization to deliver key protection services to the whole enterprise in an efficiently and economic manner.

Whilst these principles may seem obvious we find that some customers get confused when it comes down to understanding the details of how and where keys are stored and the hierarchy of trust that underpins Transparent Data Encryption (TDE) solutions both native database TDE products and Randtronics own DPM platform.

How does Randtronics DPM simplify high-assurance key management?

#Masterkey101 If we consider a database administrator (DBA) setting up new database.  For sake of argument we will assume they have the choice of using a native TDE option provided by their database vendor or Randtronics DPM and that the database is going to store Payment Card details and thus needs to comply with PCI/DSS standards.

For readers unfamiliar with Master Keys and Trust Hierarchy (see sidebar Master Keys and Trust Hierarchy)

Scenario 1 – Native TDE

Our DBA needs to make choices

– where is the keystore going to be located.   By default it resides on the database server,  however best practice guidelines recommend that keys and data are physically separated.   For some database products this feature requires an additional license

– How is the master key going to be stored.   Database is going to hold Payment Card details so the database master key needs to be stored in an HSM.   Our DBA now has to talk to the HSM administrator to organize Master Key storage

– how often are keys going to be rotated — need to set a date in the calendar to perform a manual key rotation.

If our DBA now wants to set up another Database using a different database product, then its back to the manuals as the process and licensing will be different.

Scenario 2 – Randtronics DPM

In contrast to Scenario,  the DBA doesn’t have to think about where keys are stored.   The Randtronics DPM TDE solution has best practice guidelines baked-in.  All our DBA needs to do is to install the DPM easyCipher Agent on the database server and point the Agent to a pre-defined policy set up for Payment Card data if one exists,  or request that the data privacy team create one for use across the organization.

The one-time exercise for the data privacy team is to set up a single policy within DPM easyKey that specifies Master Key storage on a FIPS Level 2/3 compliant HSM and second, create a data privacy policy within DPM easyCipher that points to the Payment Card easyKey policy.

Now when our DBA needs to set up another Database using a different database product — the process is exactly the same.

Encryption Key Protection 101

Day 1 of your cybersecurity career you learn that encryption protection uses keys and that those keys need to kept safe.

The importance of good practice encryption key management are explicitly defined in major IT Security guidelines, well known examples include: 

The ‘good practice’ guidelines articulated in these standards are finding their way into numerous legislated requirements  – typically the standard steer away from detailing specific technology implements and stick to high level guidelines.   
The superset of good practice guidelines that we see most commonly are:
a) Keys should be well protected (obvious really)
b) Keys should be stored separately from data (i.e. on different devices) 
c) Keys should be rotated periodically
d) Expired keys should be deleted at end-of-life
e) Some of these standards for regulated industries (including payments and health) also require that encryption keys are protected using specialist cryptographic modules aka Hardware Security Modules (HSM) meeting defined minimum requirements.
 
Well known standards for HSM performance include
US Federal Information Processing Standards (FIPS) and the international Common Criteria, Evaluation Assurance Level (EAL). 
And some standard as far as to required encryption keys for certain data types be stored in a HSM of a particular standard eg PCI/DSS specifies keys be protected by devices compliant to at least FIPS level 2

Master Keys and Trust Hierarchy

Transparent Data Encryption systems has a hierarchy of encryption keys that together comprise a trust hierarchy.   One key sits at the head of this hierarchy and establishes a root-of-trust that flows down to ‘daughter keys’ that are themselves encrypted by the keys above them in the hierarchy.

Defining terms:

– The master key protects the database encryption keys (DEKs).

– The database encryption keys (DEKs) are used to encrypt the actual data in the database.

– The master key is further protected by encryption using a certificate or an asymmetric key.

– In some Database Management Systems (DBMSs), the Service Master Key (SMK) protects the master key.

  1. Master Key: The master key is created and managed by the database management system (DBMS) or a key management system (KMS) integrated with the DBMS. It serves as the root key in the TDE hierarchy and is used to encrypt the database encryption keys.
  1. Database Encryption Key (DEK): Each database protected by TDE has its own unique database encryption key. The DEK is a symmetric key that is generated within the DBMS and used to encrypt the actual data in the database files. The DEK is stored in the database metadata.
  1. Certificate or Asymmetric Key: To protect the master key, it is typically encrypted using either a certificate or an asymmetric key. This provides an additional layer of security by ensuring that only authorized entities with the corresponding certificate or asymmetric key can access or decrypt the master key.
  1. Service Master Key: In some DBMSs, such as Microsoft SQL Server, there is a Service Master Key (SMK) that is automatically generated during installation. The SMK is used to protect the master key and is itself encrypted using the machine’s Windows Data Protection API (DPAPI) key, which is tied to the specific machine.

Latest news and articles

Our Customers

Letter from the CEO

Rantronics Logo

Thank you for visiting the Randtronics website.

We make enterprise encryption easy.

Smart businesses already know that only encryption can reduce the attack surface and stop the hackers from stealing their sensitive data. A company that only uses encryption is more secure than a company with all other cyber security measures. Privacy standards such as PCI DSS, HIPAA, and GDPR are all mandating in law the protection of the citizen’s personal data. Fines for breaches are huge. You won’t get fined if your firewall is hacked. You won’t get fined if you suffer a virus or ransomware attack. You WILL get fined if you lose ANY personal data pertaining to ANY citizen. The lowest common denominator is the DATA. Data that is “Encrypted” is out of the scope of the Law.

Whilst all understand the need to protect sensitive data holistically (such as NIST Cyber Security Framework or 12 prescriptive PCI DSS guidelines) their cyber security priorities are misguided to say easy aspects and not addressing “what happens” when these fail? Encryption of data is the only direct protection measure that renders data unreadable compared to upgrading firewalls or virus and malware, IPS, log monitoring, etc. I am saying you need all methods but unless you have implemented enterprise grade encryption you are still unprotected like driving a car without “seatbelts”. “Enterprise grade encryption” as a cyber measure is the “seat belt” that saves lives in car accidents. Industry experts predict a relentless continuation of data breaches this year and penetration testing have proven perimeter defense is easily penetrable.

Randtronics has taken the challenge to make encryption easy and is innovating in many areas. We have already reduced deployment effort to days, use familiar standard components so that less skilled people can deploy and maintain systems.
I welcome discussions via email or phone as through your feedback we will be challenged to continue to innovate to the point where businesses and users do not need to be intimidated when using encryption as the worlds most powerful tool to protect their sensitive data.

Experts predict data breaches will continue at relentless pace, let Randtronics secure your business with “Enterprise grade ubiquitous encryption technology”. Time is of the essence. Why not be pro-active? I invite you to let Randtronics and its global distributors and resellers assess and assist your business directly.

Yours sincerely,
Bob K Adhar, BE, MBA, CISSP
Founder and CEO