Top 10 Key Management Questions to Ask any Encryption Vendor

We’re all familiar with the favorite political phrase, “It’s the economy, stupid,” commonly used whenever a politician is running on a platform other than the economy. There is a direct parallel when dealing with vendors that sell an encryption solution.  Any vendor that does not talk about their encryption key management early and often is watching the wrong ball. After all, encryption is easy. Decrypting is harder since it requires management of an increasing number of cryptographic keys over the life of the encrypted data. When we were designing the CipherPoint encryption solution, we continually reminded ourselves that “it’s the key mnagaement, stupid”. As a result, we’re confident we’ve built the most usable and bullet-proof encryption key management system, period. And when it comes to encrypting information in SharePoint, making things simple and bullet-proof is critical.

Here are some questions to ask anyone that is selling an encryption solution be they a third party software vendor or an internal application development team.

1.    How many encryption keys does your solution use?

This question goes to the granularity and scalability of the solution.  For example, a key per user may be reasonable for 10 users but not reasonable for 10,000. Likewise a single key may be suitable for a single folder but inherently makes you feel insecure if a single key is used across all your systems. CipherPoint’s solution eliminates this balancing act by automatically optimizing the number of encryption keys with no increase in the administrative effort.

2.    Where are the keys stored?

Will you have a single repository for encryption keys or do you have n+1 locations to secure and manage as the deployment expands? Centralized key management is better. CipherPoint’s management console, the CipherPointKM, provides centralized key management that securely stores and distributes encryption keys to the right SharePoint servers at the right time.

3.    How to I backup and restore the keys?

This is an area where centralization helps. Having a single location to backup will be easier. You also want to know that the archived keys are secured from unauthorized access and that the backups can be automated. CipherPoint makes it easy to backup and restore your data encryption keys using the utilities provided with our management console, the CipherPointKM, or any third party backup solution.

4.    What happens to old, encrypted information?

Imagine a scenario in which encrypted information from 5 years ago has to be restored. Does the solution track which encryption key you used to encrypt that information? Bear in mind, in the course of 5 years you may have changed the encryption keys more than once and may be using different encryption keys across different deployments in your environment. You don’t want to be cycling through encryption keys to find the right one when your customer is getting emotional about access to their information. CipherPoint’s Key Management policies ensure encrypted information is always accessible to end-users regardless of the age or origin of the encrypted information.

5.    How do I change encryption keys?

If you are in a large enterprise or are encrypting information for regulatory compliance, you likely also have a requirement to change your encryption keys on a regular interval. With some solutions changing the encryption key is impossible or, at best, strongly discouraged. With others it may require an effort similar to the original deployment. What you want is a solution that makes it easy for you to change encryption keys with minimal impact to your and your users’ day. CipherPoint provides automated key rotation via policies so organizations never have to manually intervene to change an encryption key. This approach not only eliminates administrative overhead and errors but also helps to automate and enforce regulatory compliance.

6.    Who has access to the keys?

I have literally seen key management consoles that display the key material to the administrator. An encryption key needs to be a heavily guarded yet highly available secret. Any solution that displays the key value or stores the key value in unencrypted form is bad at keeping secrets.

7.    How are the keys secured?

The likely answer is the encryption keys are encrypted with a master or wrapping keys. This begs the question, how is the master or wrapping key secured? Does their method to secure the master key mean you’ll have to be called at 3AM to enter a passphrase so the key management server can be brought online? You’ll want to understand the details here and assess the security and usability of the approach in the context of your security and compliance objectives.

8.    What algorithm do you use?

The answer to this question must be something you’ve heard of (e.g. RSA, AES). If you’re in the United States, many large enterprises and government agencies require the use of algorithms that have been validated by NIST (see FIPS 140-2). The process to create and gain acceptance of an encryption algorithm takes several years and requires the combined, global efforts of the best mathematical minds in academia and the intelligence communities. Proprietary encryption algorithms never get this level of scrutiny.

9.    Is it FIPS 140-2 validated/compliant?

FIPS 140-2 is a Federal Government standard for cryptographic modules. The process to get FIPS validated is very expensive and can take over a year. You should not immediately exclude a solution because it is not FIPS 140-2 validated but make sure the solution vendor is familiar with the standard and can provide credible examples of how they are or intend to become FIPS 140-2 compliant. If you are working for a large enterprise, in a regulated industry such as Financial Services, or are a government agency, the odds are very high that FIPS 140-2 validation is a requirement.

10.  How much does it cost?

To do encryption and key management well requires years of specialized experience. There are two types of solution providers: those that have this knowledge and those that don’t. You will find that non-specialized vendors provide encryption solutions as a “me too” and do not have good answers to the previous 9 questions. You will also find that their price points are on the low-end of the spectrum. Specialized vendors should have solid answers to most or all of the questions above but typically have 6-figure price tags for their solutions. CipherPoint’s goal is to provide specialized, enterprise-grade SharePoint encryption and security solutions at a mass-market price point.

Conclusion

I have yet to see a solution that was 100% secure and was still usable. You want to find a solution that is secure as possible given the operational and end user constraints of your environment. This is evidenced in the data breach laws – the regulations do not forbid organizations from getting breached, they instead incent the proper behavior prior to and after a breach.

When evaluating a security or encryption solution, look for maturity of the key management based on the answers to the questions above. You must also evaluate the initial deployment effort and long term ease of use implications of the solution. The reason SharePoint has been so successful is because it is easy to setup and easy to use so solutions for SharePoint need those same characteristics. Also, the more complicated and cumbersome a security solution is the more likely users are to avoid it or leave it unmanaged creating risk for the organization.

By Woody Shea

CTO, CipherPoint