Our previous blog posting established that storage encryption technologies, such as full disk encryption (FDE), and their associated key management functions should be separated from each other.
There are two main motivations for this separation: the ability to use a single key manager for all platforms, and the ability to select and use whichever storage encryption technologies best meet the requirements regardless of their key management capabilities.
Similarly, because authentication goes hand in hand with key management, authentication for storage encryption technologies should also be separated from the encryption function. This is particularly important for remote architectures, such as public cloud usage, so that a single compromise does not lead to the exposure of both encryption keys and the encrypted material they protect.
Within any organization, there are several layers of encryption and authentication that must be managed.
For example, many organizations use FDE technologies to protect individual user endpoint devices, such as laptops. These FDE technologies may be operating system-based or hardware-based; the future for the marketplace is expected to be a shift from software-based to hardware-based solutions.
In addition to the hardware layer and the operating system layer, there are also file and application layers to be considered in terms of local layers. Usually there are remote layers as well, such as cloud-based encryption and authentication.
Access to data, executables and other resources may need to be protected separately at each of these layers through use of encryption and/or authentication technologies. This causes significant problems for most organizations because of the complexity of managing the associated keys and credentials throughout the enterprise for all the layers. It is time consuming not only for individual users, who have to maintain and remember all of these pieces of information (such as passwords), but also for the organizations supporting these users. Imagine how many keys and credentials need to be managed and supported for the user community. Finding ways to improve the efficiency of encryption and authentication management for both users and administrators has become increasingly important.
The ultimate goal for enterprise encryption and authentication management is to have a unified key management solution that encompasses all the layers. Such a solution would greatly simplify key management by linking all the encryption keys (and their associated authenticators) for each user together, and centralizing management of all these keys throughout the enterprise. This helps ensure that proper management occurs, such as regular rotation of encryption keys and passwords. And it also improves the user experience by enabling single sign-on.
Single sign-on leverages a single user credential to unlock access to a user’s other credentials, such as for other layers or for different resources within a single layer (e.g., multiple applications). Besides strongly increasing usability, it can also improve security. It can enforce one strong instance of authentication for each user, such as multifactor authentication using smartcards or biometrics, and eliminate all the other instances of authentication. This, in turn, enables an organization to manage user authentication credentials behind the scenes because a user doesn’t need to know the individual passwords for each resource to be accessed. For example, the organization can set long and complex random passwords that the user never has direct access to.
To achieve true single sign-on for enterprise users, the single sign-on has to be based at the lowest layer possible. A lower-layer credential can be used to unlock higher-layer credentials, because those credentials are used after the lower-layer credential.
For example, an operating system password is needed before the passwords for the applications accessed from that operating system.
The reverse is not true: credentials at a higher layer cannot be used to unlock credentials for a lower layer. Therefore, the heart of any enterprise key management solution should be endpoint-based, and ideally below the operating system layer (with pre-boot authentication) so that it can be used for operating system credentials as well.
It is also important that an enterprise key management product be application aware. Application awareness refers to the key manager having an understanding of the context and control over the environment in which each key is used. Without application awareness, a key manager cannot be used to set policy for each application or verify that each application’s environment is appropriately configured. An application aware key management system deals not only with keys but also users, devices, authentication methods, time and space (i.e., when and where a key may be used), groups, organization units, access privileges, and various policies such as disabling the capability of the endpoint to sleep if software-based FDE is used. This allows an application aware key management system to restrict access to individual applications based on many factors.
An endpoint-based product that works at the lowest layer and is application aware enables true single sign-on for encryption and authentication services for users throughout all the layers. Such a product can be called an intelligent key management solution.
As the use of encryption and authentication services to protect access to an organization’s data, executables, and other resources continues to increase, so does the need for more usable and effective enterprise key management solutions. Organizations are strongly recommended to plan for, acquire, and deploy intelligent key management solutions for their users. Such solutions enable single sign-on for users through all the layers of the enterprise IT resources, from endpoint devices and operating systems to cloud-based applications and files.
What’s more, intelligent key management can increase security by supporting a single instance of strong multi-factor authentication for each user while concealing all other encryption keys and authentication credentials behind the scenes. This allows these keys and credentials to be much more highly secured – for example, making passwords long, complex, and random, as well as changing the passwords regularly – which, in turn, reduces the likelihood of compromise.
In summary, organizations can increase security while improving usability and reducing effort for both users and administrators by deploying intelligent key management solutions to all user endpoints. Because these endpoint solutions are managed centrally, there is a single console for administrators to perform key management duties across many platforms and many forms of encryption. This helps organizations to keep total ownership costs low while improving their security.
Karen Scarfone is the co-author of this blog. She is a former senior computer scientist for the National Institute of Standards and Technology (NIST), and has over 15 years of experience across a wide variety of security domains.