Our previous blog posting explained the need for more usable and effective intelligent key management solutions for enterprises. We defined intelligent key management as a centralized enterprise product that is application aware, and that works at the lowest possible layer to provide protection for that layer and all the layers above it.
Intelligent key management is strongly recommended for end users because it acts at each user’s endpoint, enabling true single sign-on capabilities for virtually all their encryption and authentication services.
In this blog posting, we explore one particularly important aspect of intelligent key management: WinMagic’s unique two-stage key file deployment model. In the context of intelligent key management, a key file is a file that holds keys for a specific user/device pairing. For example, a single key file could hold a device’s full disk encryption (FDE) key, a group key for file and folder encryption, and an enterprise key for cloud-based file synchronization and storage services. Key file deployment is the process of ensuring that the user’s key file containing his or her keys for a particular device is securely transferred to the device and stored securely on the device.
Key File Deployment Use Cases
On the surface, key file deployment sounds deceptively straightforward and simple: just transfer the user’s keys from other systems to the user’s device. Unfortunately, in most cases key file deployment is much more complicated. The best example is device provisioning. For example, system administrators in most environments need to ensure that laptops are using FDE before users are allowed to access or store any data from that laptop, which helps protect the data in case the laptop is lost or stolen. However, to be able to supply laptops to users in a timely fashion, system administrators must set up these laptops ahead of time, before each laptop’s user has been designated. In some cases this is even more complicated because multiple people could be using a single laptop. Enabling people to use FDE-protected laptops without knowing who the people will be poses a serious dilemma for key file deployment.
Let’s look at several other examples of FDE deployment use cases that illustrate the complexities of key file deployment:
- Microsoft System Center Configuration Manager (SCCM). An administrator would like to use SCCM to deploy FDE to devices that are already being used by their respective users.
- Online install. An administrator wants to deploy FDE to an online device that is already being used.
- Manual install by administrator. An administrator may want to deploy FDE to a device using his or her own account, and then set up the device so that the first time the user logs in, he or she indicates being the primary user, and FDE key provisioning is completed automatically.
- Administrative accounts added to package. An administrator wants to deploy FDE to a device and allow a few other administrators to have access to that device.
Key File Deployment Challenges
So far we’ve looked at what makes enterprise key file deployment so complex. In addition to dealing with all of that complexity—coming up with a key file deployment solution that supports all the use cases and is effective for other situations as well—there are other challenges to key file deployment, most notably speed, security, and scalability.
- Speed primarily involves how much time it takes from when a new user and/or device is identified to when that user has access to the associated deployed key file on that device. For some organizations and cases, this is measured in seconds or minutes; for others, it’s counted in hours or even days.
- Security for key file deployment has several facets, including ensuring that the keys and key file are transmitted and stored securely, and that only the authorized person has access to the user’s key file on any given device. The latter may necessitate supporting different authentication forms on different devices—for example, requiring two-factor authentication through smart cards, biometrics, etc. when supported by the device, otherwise requiring just a password. Security may also involve using a trusted platform module (TPM) for binding an encrypted drive to a specific computer.
- Scalability refers to how easily the key file deployment solution can be expanded to handle larger numbers of users and devices. A key file deployment solution designed for a certain number of users and devices may have serious bottlenecks that are not encountered until its designated limits are met or exceeded.
All of these challenges themselves pose an additional challenge to administrators: avoiding errors and delays in managing key file deployment. Every mistake made by an administrator is likely to result in either a loss of availability for a legitimate user who cannot get authenticated, or an opportunity for an attacker to leverage a weakness and compromise enterprise security controls. And as the use of encryption expands throughout an organization, the number of keys within an organization will increase correspondingly, making mistakes by administrators inevitable.
Solving Key File Deployment Challenges
To solve these key file deployment challenges and overcome the sheer complexity of possible use cases, WinMagic has developed a two-stage key file deployment model based on nearly 20 years of experience with enterprise key management involving a variety of authentication methods. This model greatly simplifies key file deployment to make it easy for enterprises with a wide range of security needs. Let’s take a quick look at these stages and what happens during each one.
Stage 1 – Provisioning
Stage 1 is known as the Provisioning Stage. In this stage, the user’s device contains a temporary provisioning key file. This file is not specific to the user; it is present simply to enable the device to provide basic operations so that the actual user can be identified. The device at this point is usually set up for autoboot or configured with a known static password to facilitate the user’s initial login. Autoboot is defined as unattended, automatic pre-boot authentication for the device.
The transition point between the end of Stage 1 and the beginning of Stage 2 is known as the Secure Moment. In the Secure Moment, the device “owner” is identified and authenticated, the user’s key file for the device is prepared, the key file is transferred to the device and stored, and finally the provisioning key file is removed.
Stage 2 – Deployed/Secured
Stage 2 is called the Deployed/Secured Stage. At this point, the user’s key file is present and secured on the device, so the user can proceed with their normal use of the device, being authenticated as needed, such as to unlock the FDE software at boot to allow device use.
In some cases, organizations do not need to have a Provisioning Stage, for example because the owner of the device is already known and will automatically reach the Secure Moment. Under this arrangement, the user enters his or her username and chosen password for key file access, and the key file deployment solution generates a matching key file and delivers it to the device, then securely stores it. At this point, the Secure Moment has been achieved and the Deployed/Secure Stage starts. There is never a temporary provisioning file deployed to the device. Some organizations require the additional degree of security that can be achieved by omitting the Provisioning Stage; for example, if there is no Provisioning Stage, then devices are not placed in autoboot mode, which can temporarily reduce their security.
WinMagic’s two-stage model for key file deployment, as implemented through its SecureDoc Enterprise Server (SES), provides a highly usable and secure solution for enterprise key file deployment. WinMagic’s key management experts have dedicated themselves to make life easier for both users and system administrators. WinMagic SES provides a flexible solution that ensures that key file deployment to user endpoints is fast, secure, and scalable to meet the needs of virtually every organization.
Achieving security while seemingly requiring no additional action by users is an art. WinMagic has worked hard to provide a magic touch to this deceptively complex area of device provisioning. With technologies based on pre-boot networking (PBN), the two stages described above could be more secure yet easy-to-use as machines automatically boot unattended if they are within the enterprise network, or if the actual user is defined directly via authentication to Active Directory right at pre-boot time. We will discuss the usage of PBN in the next blog. For us, PBN changes the FDE space as the network changed the computing space back in the 80s.
Karen Scarfone is the co-author of this blog. She is a former senior computer scientist for the National Institute of Standards and Technology (NIST), and has over 15 years of experience across a wide variety of security domains.