With the right tools, it is not difficult for your business to lock away encrypted data, safe from unauthorized eyes. But managing the encryption keys can feel like a headache you don’t want to add to your daily business chores, especially when you are a small or medium business with a tight budget.
No matter what encryption tool you use, you’ll have to generate keys, use them safely, safeguard, archive and delete them at the end of their life cycles.
You’ll have to do all of this in a way that doesn’t compromise the security of the encrypted data you’re protecting. Key management should be a top priority for your team. You must limit access to the keys at several fronts. One of the important strategies in the process of key management is the separation of duties.
Encrypted Data Protection: Defining Roles for Key Protection
NIST (National Institute of Standards and Technology) offers advice on computer security in a special publication, recommending that you should define functions in the encryption key section of your security policy document and that duties should be separated. In other words, you should assign roles so that no one person has complete access to the encryption keys. You should divide duties among staff members in a way that ensures no single individual has the access privilege or information to be able to commit fraud that could damage your business.
This principle is commonly applied in the accounting and financial departments of most companies. For example, the person who has the job of printing checks shouldn’t be the one signing the checks.
How Separation of Duties Can Apply to Data Encryption
In the area of the management of encryption keys, it can help to identify the different types of functions that are expected from your staff. No single person should be assigned more than one function wherever possible. The functions could be divided as authorization of keys, custody, keeping records, and key reconciliation (during this step, error-correcting information is exchanged).
To make sure that no one who is not authorized accesses sensitive data, you must ensure that the person who manages encryption keys doesn’t have access to the protected data. The reverse holds true as well. The data user should never be allowed to create or manage keys. Separation of duties is a common principle in financial departments, but it’s often overlooked in the area of computer security. It can be a relatively straightforward and foolproof layer of physical security for your encrypted data.
One Person Shouldn’t Have Sole Authority over a Process
While one employee shouldn’t be assigned two functions in key management, they should also not have the sole authority over a process.
For instance, you shouldn’t assign only one person the role of generating keys for encrypted data. At least two people should be key admins, to prevent misuse of data by one of them. Again, this may not be the easiest strategy to follow for small businesses. But there are additional steps that you can take for monitoring.
One tip is to cross-train employees so that when someone is on vacation or leave, your business doesn’t come to a standstill. Take some time to look through reports that you should make sure are logged in the central log management. Check to see that only authorized personnel have accessed data.
Another principle that an ideal key management should follow is that of split knowledge. In other words, the encryption key should be divided in two and shared between two people. No one person should have knowledge of the entire key. Whenever you need an encryption key to be created, both these individuals should be present.
It may all sound cumbersome and resource hungry for human resources that most small businesses don’t have, but even if you cannot follow the third principle, making sure that you separate duties and give dual control to each function for peace of mind. You cannot be too careful when it comes to protecting sensitive data.
On a side note, don’t forget to secure the physical facility where your key manager is housed. It goes without saying that it shouldn’t be on the same server where the encrypted data is stored.
Are you using any of these strategies to safeguard and manage the keys to your business’ encrypted data?