All key management teams utilize and rely upon various meta-data to effectively manage cryptographic keying materials. Because these items are utilized infrequently, they are much more difficult to memorize. Yet, these meta-data elements must be handled and protected with the same set of controls and protections as a traditional cryptographic key. Secrets Management enables key management teams to apply these same controls and protections to data sets that do not conform to standard key sizes or field spaces.
Minimally, key management teams will be responsible for maintaining:
PINS FOR SMART CARDS
PASSWORDS OR PASSPHRASES
As newer encryption algorithms become more prevalent, other associated meta-data such as initialization vectors or derivation data must also be maintained. Beyond just key management peripherals, organizations have other sensitive data that warrant the same high levels of protection and audit capability as cryptographic keys.
For all of the aforementioned reasons, KeyBRIDGE offers a “Secrets Management” component. Secrets Management offers users the ability to align on naming conventions, enforce custodial role based permission access, disaster recovery, audit visibility, and secure back up of any secret or sensitive data.
Secure Storage for Key Management Teams
Key Management teams are leveraged to rely upon and ultimately enforce the tenets of split knowledge and dual control. With this edict in mind, most key management teams are divided into separate groups with a responsibility to protect their respective components or shares from access or view by members of any different group. Most cryptographic key protection systems are relatively effective in supporting this basic requirement. Secrets Management within KeyBRIDGE goes the extra mile.
Who Will Watch the Watchers?
An age-old debate that transcends history and vertical markets, the question of who will watch the watchers, continues to ring true for key management teams. Centralized key administrators must collaborate with multiple teams of key custodians for the purposes of generating, importing, and exporting keys while collectively ensuring cryptographic key protections remain in place. Utilizing Secrets Management, access to sensitive meta-data required for effective cryptographic key protection, is stored, encrypted, backed up, logged, and enforced under role based custodial control.
Flexibility to Protect non-keys, as keys.
The meta-data that is utilized for cryptographic key protection ought to be protected and logged with the same care and ultimate security as any key. If the ability to decrypt a key is relegated to the use of a PIN and smart card, or even just a passphrase, that PIN or passphrase ought to be protected with the same security as the key itself. If these meta-data are currently stored in a physical safe that requires a combination to unlock, then the combination deserves to benefit from the same protection as well. These are all items that are used infrequently at best. As such, they routinely end up on a post-it note on a desk or in a wallet, but rarely are they verifiably memorized by the individuals that need to use them.
KeyBRIDGE users can be assigned to custodial groups. Once a user is established for a single group, that user may never be part of another group. Thus, ensuring the user never gains access to a complimentary component or share the user is charged with managing. Any member of the same custodial group may utilize Secrets Management to store and or retrieve these sensitive cryptographic key protection meta-data for the group to which they belong.
Last year, a team member who had the safe combination Left us abruptly. We were forced to call a lock-smith, which delayed our project for two days. The inability to recall the combination along with the cost of the locksmith and the cost of the new safe, this literally cost our organization thousands of dollars. If we had used Secrets Management the way we do now, it would have saved us an enormous amount of both time and money.
– Actual KeyBRIDGE Customer