The information presented in this white paper discusses various approaches to cryptography and key management. Taking a proactive approach to data protection-planning, policies, and process-results in a smoother implementation and a positive return on investment. Unlike disparate, multi-vendor point solutions that can create limited "islands" of security, SafeNet's approach provides an integrated security platform with centralized policy management and reporting. This is ideal for seamless, cost-efficient management of encrypted data across databases, applications, networks, and endpoint devices. Centralized encryption and key management also provides a uniform and ubiquitous way of protecting data while reducing the cost and complexity associated with compliance and privacy requirements.
Applying Enterprise Security Policy and
Key Management Written by Terry Fletcher, Senior Security Architect, SafeNet Publication Date: August 28, 2009 Executive Overview This white paper is the second in a series following An Enterprise Guide to Understanding Key Management which introduces different types of cryptography and keys used in modern data protection applications. In addition the guide provides a brief summary of the main key management elements used within the infrastructure. Please refer to it for background material to this white paper. The information presented in this white paper discusses various approaches to cryptography and key management. Taking a proactive approach to data protection-planning, policies, and process-results in a smoother implementation and a positive return on investment. Unlike disparate, multi-vendor point solutions that can create limited "islands" of security, SafeNet's approach provides an integrated security platform with centralized policy management and reporting. This is ideal for seamless, cost-efficient management of encrypted data across databases, applications, networks, and endpoint devices. Centralized encryption and key management also provides a uniform and ubiquitous way of protecting data while reducing the cost and complexity associated with compliance and privacy requirements. Each business has its unique network and operational requirements, which results in the need for tailored key management policies. While policies can be based on standardized specifications, it is a best practice to conduct a comprehensive risk assessment to reveal specific points to consider in designing key management policies and procedures. 1. End-to-End Security in the Infrastructure 1.1 Applications of Key Management We begin this white paper by moving from the key management basics found in the white paper, An Enterprise Guide to Key Management where we introduced different types of cryptography and keys used in modern data protection applications and touched on the challenges associated with managing huge numbers of keys under a variety of security policies. It also provided a brief summary of the main key management elements used within the infrastructure. (They are referenced in Figure 1 below). The application types presented in the following sub-sections are categorized as data-in-motion (with sub-categories of transaction-based and messaging applications) and data-at-rest protection. The applications are categorized in this way to focus on protection of the data content associated with them rather than protection of the media used to transport and/or store the data. The categories are distinguished as follows: ? Transaction-based applications involve the real-time exchange of data; this is commonly described as request and response. This category involves the automatic processing of data resulting in real-time changes to the state of the system. The
Applying Enterprise Security Policy and Key Management Page 1 of 13
data being exchanged is generally small in size. Data is typically protected based on the application handling the data. ? Messaging applications are sometimes referred to as "store-and-forward". In general, they are not real-time in nature and do not result in automated state changes. A side characteristic of this application category is that the data involved can be of any size and very large documents or messages are not uncommon. Data is typically protected for a specific set of authorized entities. ? Data-at-rest protection, as the name implies involves the protection of data confidentiality and/or integrity in a static or "stored" environment. This could be associated with very large storage solutions in data centers or Storage Area Networks or with disk and file protection on workstations or servers. Data can be of any size and could require protection for very long periods of time or could be shorter-lived (e.g., weeks or months). Data may be protected based on the application or on a set of authorized entities. 1.1.1 Key Management for Transaction-Based Applications Two major transaction-based application types driving key management requirements are payments systems and Electronic Data Interchange (EDI). Until recently, key-management for transaction-based systems has exclusively involved symmetric keys. Symmetric keys are typically maintained by each organizati... [download for more]
