This article can also be found in the Premium Editorial Download "Storage magazine: What you need to know about data storage provisioning."
Download it now to read this article plus other related content.
|Sampling of encryption-key management products|
Application Security Inc.
BrightStor Tape Encryption
EMC Corp./RSA Security Inc.
Authority Security Manager
Ingrian Networks Inc.
PGP Encryption Platform, PGP NetShare
Spectra Logic Corp.
Symantec Backup Exec
SecureDoc Enterprise Server
There are a number of issues to consider when storing keys:
- Will they be stored on each client that needs to access the information, on a central server that requires authentication to release the key, or in a hardware device such as a smart card or USB key?
- How will you ensure that keys will still be available in five, 10 or 50 years when access to archived data is required?
- Will an authorized staffer be able to access keys in a disaster when servers must be rebuilt from encrypted backups without the original backup software or tape drive that did the encryption?
- How do you track what data was encrypted with which key, and where the key is stored?
Most encryption-key management products from established vendors (see "Sampling of encryption-key management products," at right) offer substantial benefits compared to home-grown solutions (such as keeping the keys in an Excel spreadsheet or Access database), including:
- Automatic key management. Users don't create the keys themselves and can't inadvertently leak them because the keys are always encrypted.
- Strings to create keys are randomly generated.
- Keys used to encrypt backup keys are separate and distinct. Keys are never stored or transmitted in the clear.
- Keys are generated automatically and stored securely so they can be changed regularly.
- Provisions for distributed and clustered key management systems provide quick responses at any location when data needs to be accessed; if necessary, keys can be replicated so that the failure of one appliance won't result in data loss.
- Provisions for software-based recovery of encrypted data using keys stored on hardware (smart cards or USB keys).
- Reporting tools make it easy to associate keys automatically with specific backup tapes or encrypted stores.
This was first published in October 2006