Cryptography Reference
In-Depth Information
rely on it. To this extent, key management is a small, but important, part of the
wider management of the security of an information system.
For a private user managing keys on their own machine, key management may
simply involve the selection of appropriate techniques for conducting each of the
relevant phases of the key lifecycle. However, key management is a much more
complex process for an organisation, due to the diversity of processes that affect
key management, which we outlined in Section 10.1.1.
Key management within an organisation thus needs to be governed by rules
and processes. In this section we will briefly discuss some of the issues involved
in governing key management effectively within an organisation.
10.7.1
Key management policies, practices and procedures
Within an organisation, the most common way to govern key management is
through the specification of:
Key management policies
. These define the overall requirements and strategy
for providing key management. For example, a policy might be that all
cryptographic keys are stored only in hardware.
Key management practices
. These define the tactics that will be used in order to
achieve the key management policy goals. For example, that all devices using
cryptography will have an in-built HSM.
Key management procedures
. These document the step-by-step tasks necessary
in order to implement the key management practices. For example, the
specification of a key establishment protocol that will be used between two
devices.
Clearly, different organisations will have different approaches to the formulation
of keymanagement policies, practices and procedures, but the important outcome
of this process should be that key management governance is:
By design
: in other words, that the entire key management lifecycle has been
planned from the outset, and not made up in response to events as they occur.
Coherent
: the various phases of the key lifecycle are considered as linked
component parts of a larger unified process and designed with this 'big picture'
in mind.
Integrated
: the phases of the key management lifecycle are integrated with the
wider requirements and priorities of the organisation.
For commercial organisations, it may also make sense to publicise key man-
agement policies and practices, since this can be used as a mechanism for
increasing confidence in their security practices. This is particularly relevant for
organisations providing cryptographic services, such as Certificate Authorities
(see Section 11.2.3).
