Eric Murray, Security Architect of Zettaset, offers the following rules for the use of in-flight encryption tools. While the ideas he suggests appear to be simple, common-sense suggestions, if used, they could reduce the level of fears organizations have about data protection and security.
Here's what he suggests
- Encryption keys should never be stored along with the data they encrypt, Instead it's better that you use a secure key server. Storing the key with the data means it's available to an attacker. If you opt to hide the key within the software itself, you're making it that much easier for a hacker to gain access.
- A client should authenticate to the key server with certificates. Additionally, the key server should be on a private network. The reasoning behind being, if an attacker steals the host it won't be able to access the key server to get the keys.
- 3. It's best to use standards and common algorithms. Doing so will keep your options open. Among the most common Key Management Protocol is KMIP. Key servers that aren't sealed appliances should use PKCS11 HSMs for key storage.
- Using highly available key servers is always advised. If your hosts can't get to the keys when they need them, then they are out of commission.
Thanks for sharing your suggestions, Murray.