Cryptography is essential to data security and provides the best method to ensure that information will remain uncompromised, even if stolen or inappropriately accessed. However, managing cryptographic keys will become increasingly challenging as companies compile more sensitive information. Thus, enterprise encryption key management, sometimes referred to as enterprise key management, is critical for all growing businesses.
What is Enterprise Encryption Key Management?
Businesses either must or should encrypt their data. Regulatory requirements for certain industries and locations mandate it. Similarly important, consumers across all markets have come to expect some form of encryption to ensure their personally identifiable information (PII) remains private. Your encryptions rely on keys to make data otherwise unreadable, and your cryptographic protections will be compromised if those keys aren’t securely managed.
There are two critical considerations for designing enterprise encryption key management policies and procedures:
- What distinguishes enterprise from traditional encryption key management programs?
- What methods simplify meeting regulatory compliance requirements pertaining to key management across multiple frameworks?
Enterprise Encryption Key Management Explained
Encryption key management requires anticipating the needs of your rapidly increasing number of cryptographic keys. Thus, your use of encryption and key management must be scalable.
Some companies may initially depend on third-party cryptographic solutions built into the free or open-source programs they already use. For example, smaller companies may not seek sophisticated encryption for internal communication and, instead, rely on standard, vendor-supplied defaults on their email or messaging apps.
However, as companies grow, they may need to exercise greater control and oversight over their data, including developing sophisticated cryptographic keys. The more keys your company uses, the more secure storage and inventorying are required, and encryption key management requires strenuous usage monitoring.
Most Effective Enterprise Key Management Strategies
Best practices for encryption key management govern the creation, storage, and use of keys:
- Create and inventory all keys from a centrally located and managed interface. Even if many keys are used in different ways or contexts, they should be managed uniformly.
- Store and manage all exchanges of cryptographic keys in a similarly centralized but ideally distinct location. Prepare seamless replacement of certificates if a breach occurs.
- Establish visibility and regular monitoring of cryptographic keys’ use, along with users’ behaviors related or adjacent to encrypted data. Restrict all access to timed sessions.
Companies should implement a program that will work for a comfortable margin above the number of cryptographic keys they must currently oversee to account for future additions.
Other Considerations for Enterprise Key Management
Beyond the needs of safe creation, storage, and use of keys, companies may also need to accommodate other needs. The recent surge in working from home and the resulting proliferation of remote connections complicate encryption key storage, usage, and access in a manner most companies have not previously experienced. Having employees connect to your IT environment via Virtual Private Networks (VPNs) is a security necessity.
Additionally, the type and amount of data they store may further dictate requirements. For example, businesses that store protected health information must heed HIPAA’s Privacy and Security Rules. Those that store, process, or transmit credit card data must abide by the Payment Card Industry’s Data Security Standard.
The location of a business and its clientele is another determinant. All companies that interact with European Union citizens’ data must protect such per GDPR restrictions. Companies that interact with residents of California must likewise follow the CCPA guidelines. Neither framework requires encryption per se, but cryptography is one efficient method to satisfy both regulations.
HITRUST-Compliant Encryption Key Management
The most effective method for implementing robust key management that meets legal and other requirements across multiple regulations is to unify your controls under a single, comprehensive framework. The HITRUST Alliance has combined controls from HIPAA, PCI-DSS, and other regulations into the HITRUST CSF. As such, adherence to HITRUST’s encryption key management requirements will meet most organization’s compliance needs.
The HITRUST CSF comprises 14 Control Categories, which break down into 49 Objective Names and 156 total Control References. Each is accompanied by a Control Specification, along with a Factor Type and, usually, a combination of Topics to which it applies. Topics can be used to index Controls, and there are 18 References under the “cryptography” Topic. Some of these directly govern how a company should manage keys, whereas others govern keys’ uses.
RSI Security’s HITRUST advisory services will help your organization manage keys efficiently—and assist with all efforts necessary for achieving certification.
HITRUST Encryption Key Management Requirements
Another element of HITRUST CSF controls is that each is accompanied by Implementation Requirements, distributed across Levels. These correspond to companies’ needs at scale, including mapping and measurement specifications pertinent to different regulatory standards.
There are three HITRUST CSF Control References specifying requirements for cryptography:
- Control Reference 06.f – Requiring the use of cryptography and configuration of all cryptographic keys meeting or exceeding requirements in applicable regulatory guides.
- Control Reference 10.f – Requiring that a policy governing cryptographic keys and relevant controls is developed, implemented, and supported by formalized protocols.
- Control Reference 10.g – Requiring that a distinct cryptographic key management program is developed to ensure keys are not accessed or modified inappropriately.
These three References establish the need for and specific characteristics of an enterprise encryption key management system. Implementing them up to the Level that corresponds to your company’s regulatory requirements ensures streamlined compliance and robust security.
HITRUST CSF Controls Related to Key Management
Beyond specifying how enterprises should manage their keys, the HITRUST CSF also specifies how they should use cryptography and cryptographic keys across a wide range of Controls.
The remaining 15 HITRUST CSF Control References tagged under the cryptography Topic are:
- Control Reference 01.d – Requiring management of passwords to include encryption.
- Control Reference 01.r – Requiring formalized specifications for user password strength and complexity, including minimum character limits, frequent updates, and encryption.
- Control Reference 01.x – Requiring cryptographic controls for mobile communications.
- Control Reference 06.c – Requiring protections for organizational records to meet or exceed regulatory requirements for integrity, including secure storage and encryption.
- Control Reference 09.a – Requiring documentation and availability of select operating procedures, including measures such as encryption to guarantee documents’ integrity.
- Control Reference 09.k – Requiring cryptographic safeguards against mobile code.
- Control Reference 09.l – Requiring maintenance and encryption of security backups.
- Control Reference 09.m – Requiring robust monitoring, control, and protection of traffic on internal and protected networks, including encryption of all sensitive data transmitted.
- Control Reference 09.o – Requiring safe operation of all removable media, including encryption of data stored on it and removal of encrypted information before disposal.
- Control Reference 09.q – Requiring Procedures for safe handling of all information, regardless of location, including encryption and robust encryption key management.
- Control Reference 09.s – Requiring distinct encryption practices for data exchanges.
- Control Reference 09.u – Requiring distinct encryption practices for physical media.
- Control Reference 09.x – Requiring robust monitoring, control, and protection of traffic on public and unprotected networks, mirroring or exceeding encryption for internal traffic.
- Control Reference 09.y – Requiring distinct encryption practices for online transactions.
- Control Reference 10.d – Requiring cryptographic and other guarantors for authenticity and integrity of messages transmitted on internal and external messaging applications.
Your robust and fully compliant enterprise key management plan should incorporate all of these Control References, along with any other considerations unique to the needs of your company.
Professional Key Management and Cybersecurity
Enterprise key management is a critical consideration for all growing companies. However, managing all the cryptographic keys required for encrypting your increasing pool of sensitive data can be challenging, especially with scaling regulatory compliance requirements. But following a unified standard—HITRUST—makes successful encryption key management much more attainable at any scale.
To rethink your cryptographic security and ensure your preparations will accommodate future growth, contact us today!
Download Our HITRUST Compliance Checklist
Assess where your organization currently stands with being HITRUST compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.