Tip

Secure your data backups with encryption key management best practices

Ending up as a data breach statistic is not likely in your organization's long-term goals. To resolve this issue, you can encrypt your backups and mobile

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

storage media. Your backups will be secure and exempt from the breach notification requirements many of the information security regulations mandate -- until a vulnerability in your encryption key management practices is exploited. Sloppy encryption key management practices are a surefire way to negate most, if not all, of the benefits of encrypting data at rest and land your business in a real bind.

More on encryption key management
What you need to know about storage encryption products

How do you make sure your data is secure when using a online/cloud backup provider?

Using an encryption appliance for data backup security

Encryption key management: New standards on the horizon
Regardless of the size of your organization, here are several essential key management best practices you need to know about to maximize your investment in encryption and minimize your business risks:

Encryption key management requires upfront planning and ongoing administration. Make sure you have the resources in place for key issuance/renewal/revocation, setting and enforcing policies, system maintenance and monitoring, and so on -- across all of your backup systems.

Work with your existing data backup/storage/security vendors or seek out new ones to help with your implementation. Generic enterprise key management solutions from NetApp Inc., RSA (the security division of EMC Corp.), Thales and Venafi Inc. may offer what you need. If you just want key management at the backup/storage level, then you may want to look at more niche products such as Hewlett-Packard (HP) Co. StorageWorks Secure Key Manager and 10Zig Technology's Q3e encryption appliance or its Q3i tape drive with encryption, as well as some more mainstream IBM Corp. and Sun Microsystems Inc. StorageTek drives. You may have to go with multiple vendors for key management depending on your approach.

Your encryption key management initiatives need to be an all-or-nothing approach, at least to the extent that you know exactly what's where. Encrypting some data at rest and not other data without understanding the specific types of data in each location can be dangerous. All it takes is one lost backup tape that "didn't need encryption since it stored nothing of value" to create a big problem.

Utilize the principle of separation of duties. I know, it's one of those security "best practices" that everyone preaches but is often hard to implement, but you still need to strive for it. Having more than one person storing, backing up, referencing and rotating encryption keys is essential. As part of this process, be sure to define the roles of the key players to make sure everyone's on the same page. And make your key management policy a written one that's stored and made readily accessible to everyone on an intranet site.

Never assume that encrypted means secure. There's always the possibility that a third party may gain access to your media and somehow recover your encryption keys. Know what the vulnerabilities are in your environment. If it makes sense because of added physical vulnerabilities or other risks, consider utilizing secondary hardware keys if they're available. This requires both the original backup hardware and the hardware key to decipher the backups adding yet another layer of security. Certain types of businesses where this may be easily justified include banking, education, and healthcare.

Like many things security-related, encryption key management is still relatively immature. The good news is that there are industry bodies such as OASIS EKMI, NIST, and the IEEE looking to simplify things and bring interoperability to the industry.

About the author: Kevin Beaver is an information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. Having worked for himself over the past seven years, Kevin specializes in performing independent security assessments and helping IT professionals enhance their careers through his Security On Wheels information security audio books and blog.

This was first published in May 2010

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.