Cybersecurity Cloud Lesson 1 rule book in key management
Courtesy of Professor Bill Buchanan OBE:
Cybersecurity Cloud Lesson 1 rule book in key management for companies:
Your encryption keys are the keys to your castle. So protect them with your life!
Your enemy is you! The main threat is insiders, so beware of yourself and others in your company.
Beware of those that you trust and who you partner with. They can be your enemies, too.
For sensitive data, try not to let Amazon or Microsoft manage your keys.
Put your private keys in an HSM (Hardware Security Module). A shared HSM is fine, but if you have funds, create your own Cloud HSM.
If you are audited for your keys, you may need an on-premise HSM to link to your Cloud instance.
Create meaningful tags for your keys that make sense for everyone. Don’t tag them as “Key1”, “Key2”, and so on. Give them meaning, “Main Active Directory Single Sign-on Key for Sales in Europe”. Add words that allow you to search for keys easily.
Log the usage of your keys everywhere and link to people, roles, services and applications. Log, log and log some more.
Watch out for those keys being deleted … it is one of the easiest hacks for a disgruntled employee to perform.
Watch out for key wrapping from your insiders and your key exports. See Point 1.
Use a tiered alerting system which escalates the severity of the key usage, but make sure you keep those logs.
Use envelope encryption.
Test, test, and test some more.
Audit, audit, and audit. On a daily basis, if necessary.
Test those encrypted backups.
We all make mistakes. If you delete a key, please say, as we have 60 days to undelete it.
Use key rotation wherever possible.
Just because ECDSA and EdDSA sound all fancy and brand new doesn’t mean that RSA is not an option.
RSA is still your friend. Forget about those doom sayers on quantum cracking.
MD5 and SHA-1 should never, ever, be seen.
Beware of DevOpSec. They can be sloppy with their keys. Tell them off for doing risky things!
I had better stop here. So, finally, put a large poster on the wall that says, “no key, means no data!”, “the enemy is within and around you!”, “A breach of the trust infrastructure is one of the most expensive cybersecurity threats to resolve”, “A single key breached, and this company could be finished!”.
So, really just one rule, "Your encryption keys are the keys to your castle. So protect them with your life!". All the others are just corollaries that describe various ways in which one may fail to protect them. Great list, though!
Another thing to consider is that more keys, each with a smaller footprint reduces the blast-radius if something is compromised.
While all the points looks good in theory, what makes you think customer can handle and protect the keys to the castle much better than the CSPs? In fact, in practice, many organizations dealing with sensitive information in cloud including the ones that are highly regulated, take the CMK or CSP managed key approach as opposed to CSK.