Key management requires upfront planning and ongoing administration. Make sure you have the resources in place for key issuance/renewal/revocation, setting and enforcing policies, system maintenance and monitoring, and so on -- across all of your backup systems.
Work with your existing data backup/storage/security vendors or seek out new ones to help with your implementation. Generic enterprise key management solutions from NetApp Inc., RSA (the security division of EMC Corp.), Thales and Venafi Inc. may offer what you need. If you just want key management at the backup/storage level, then you may want to look at more niche products such as Hewlett-Packard (HP) Co. StorageWorks Secure Key Manager and 10Zig Technology's Q3e encryption appliance or its Q3i tape drive with encryption, as well as some more mainstream IBM Corp. and Sun Microsystems Inc. StorageTek drives. You may have to go with multiple vendors for key management depending on your approach.
Your key management initiatives need to be an all-or-nothing approach, at least to the extent that you know exactly what's where. Encrypting some data at rest and not other data without understanding the specific types of data in each location can be dangerous. All it takes is one lost backup tape that "didn't need encryption since it stored nothing of value" to create a big problem.
Utilize the principle of separation of duties. I know, it's one of those security "best practices" that everyone preaches but is often hard to implement, but you still need to strive for it. Having more than one person storing, backing up, referencing and rotating encryption keys is essential. As part of this process, be sure to define the roles of the key players to make sure everyone's on the same page. And make your key management policy a written one that's stored and made readily accessible to everyone on an intranet site.
Never assume that encrypted means secure. There's always the possibility that a third party may gain access to your media and somehow recover your encryption keys. Know what the vulnerabilities are in your environment. If it makes sense because of added physical vulnerabilities or other risks, consider utilizing secondary hardware keys if they're available. This requires both the original backup hardware and the hardware key to decipher the backups adding yet another layer of security. Certain types of businesses where this may be easily justified include banking, education, and healthcare.
Like many things security-related, key management is still relatively immature. The good news is that there are industry bodies such as OASIS EKMI, NIST, and the IEEE looking to simplify things and bring interoperability to the industry.
About the author: Kevin Beaver is an information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. Having worked for himself over the past seven years, Kevin specializes in performing independent security assessments and helping IT professionals enhance their careers through his Security On Wheels information security audio books and blog. He has also authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). Kevin can be reached at kbeaver --at- principlelogic.com.
This was first published in October 2009