Bill Buchanan: Cybersecurity Cloud Lesson 1 - Rule Book in Key Management

Cybersecurity Cloud Lesson 1 rule book in key management for companies: Your encryption keys are the keys to your castle. So protect them with your life! Your enemy is you! The main threat is insiders, so beware of yourself and others in your company. Beware of those that you trust and who you partner with. They can be your enemies, too. For sensitive data, try not to let Amazon or Microsoft manage your keys. Put your private keys in an HSM (Hardware Security Module). A shared HSM is fine, but if you have funds, create your own Cloud HSM. If you are audited for your keys, you may need an on-premise HSM to link to your Cloud instance. Create meaningful tags for your keys that make sense for everyone. Don't tag them as "Key1", "Key2", and so on. Give them meaning, "Main Active Directory Single Sign-on Key for Sales in Europe". Add words that allow you to search for keys easily. Log the usage of your keys everywhere and link to people, roles, services and applications. Log, log and log some more. Watch out for those keys being deleted … it is one of the easiest hacks for a disgruntled employee to perform. Watch out for key wrapping from your insiders and your key exports. See Point 1. Use a tiered alerting system which escalates the severity of the key usage, but make sure you keep those logs. Use envelope encryption. Test, test, and test some more. Audit, audit, and audit. On a daily basis, if nescessary. Test those encrypted backups. We all make mistakes. If you delete a key, please say, as we have 60 days to undelete it. Use key rotation wherever possible. Just because ECDSA and EdDSA sound all fancy and brand new doesn't mean that RSA is not an option. RSA is still your friend. Forget about those doom sayers on quantum cracking. MD5 and SHA-1 should never, ever, be seen. Beware of DevOpSec. They can be sloppy with their keys. Tell them off for doing risky things! I had better stop here. So, finally, put a large poster on the wall that says, "no key, means no data!", "the enemy is within and around you!", "A breach of the trust infrastructure is one of the most expensive cybersecurity threats to resolve", "A single key breached, and this company could be finished!". Sorry for being so coarse in places, but handling keys is a serious business.

There are no comments yet.

Please log in to write the first comment.