Governing Key Management

We have repeatedly stressed in this chapter that key management is the main interface between cryptography technology on the one hand and the users and systems that rely on it on the other. To this extent, key management is a small but important part of the wider management of the security of an information system.

For a private user managing keys on their machine, key management may involve selecting appropriate techniques to conduct each of the relevant phases of the key lifecycle. However, key management is a much more complex process for an organization due to the diversity of key management processes. That’s why key management within an organization needs to be governed by rules and processes.

Key management policies, practices, and procedures

Within an organization, the most common way to govern key management is through the specification of:

• Key management policies: These define the overall requirements and strategy for providing key management. For example, a policy might be that all cryptographic keys are stored only in hardware.

• Key management practices: These define the tactics used to achieve the key management policy goals. For example, all devices using cryptography will have a built-in HSM.

• Key management procedures: These document the step-by-step tasks necessary to implement the key management practices. An example is the specification of a key establishment protocol between two devices.

Different organizations will have different approaches to formulating key management policies, practices, and procedures. Still, the important outcome of this process should be that key management governance is:

• By design: The entire key management lifecycle has been planned from the outset and not made up in response to events as they occur.

• Coherent: The various phases of the key lifecycle are considered linked parts of a larger unified process and designed with this ‘big picture’ in mind.

• Integrated: The phases of the key management lifecycle are integrated with the wider requirements and priorities of the organization.

For commercial organizations, it may also make sense to publicize key management policies and practices since this can be used to increase confidence in their security practices. This is particularly relevant for organizations providing cryptographic services, such as certificate authorities.

Formulating key management policies, practices, and procedures also facilitates the auditing of key management, which is part of the wider process of auditing security. This is because not only can the policies, practices, and procedures themselves be scrutinized, but the effectiveness of their implementation can then be tested.

Example procedure: Key generation ceremony

Let’s illustrate the potential complexities of key management governance by giving an example of an important type of key management procedure that a large organization might require. This is a key ceremony, which can be used to implement key generation from components. Note that the key in question could be a top-level (master) symmetric key or a top-level (root) private key, which must be installed into an HSM. The key might be:

• A new key being freshly generated.

• An existing key being reestablished (from backed-up, stored components).