8 Best Practices for Encryption Key Management and Data Security

From centralization to support for standards, these encryption key management and data security best practices can help you protect your organization’s confidential data and comply with regulatory mandates.

by Gary Palgon

Data encryption is an important element of an organization’s response to security threats and regulatory mandates. What many organizations are finding is that while encryption is not difficult to achieve, managing the associated encryption keys across their lifecycle quickly becomes a problem that creates a new set of security vulnerabilities and risks making important data inaccessible to authorize users those who need it.

Confidential data resides in hundreds of places throughout an organization. It’s found in many different forms. Today’s business environment is compliance-driven, competitive and increasingly fraught with crimes of opportunities from financially motivated hackers and frustrated employees. This creates a mounting demand for effective, practical, automated, risk-mitigating ways to manage keys throughout their lifecycle so that “good guys” are granted access and the bad guys are thwarted. User and application access to these resources must be controlled, managed and audited so that authorized access is quick and reliable, all while preventing malicious attacks. Moreover, a thorough approach to key management must ask: “Who guards the guards?” The administration of keys must itself have built-in protection against internal maliciousness.

Experts in data protection urge organizations to use the following two-step process to manage data security risk and comply with regulatory requirements:

Step 1: Eliminate as much collection and storage of sensitive data as possible—if you don’t really need it, get rid of it (or never collect it in the first place);

Step 2: Encrypt, hash, or mask the remaining sensitive data at rest and in transit.

Encryption has become an increasingly important weapon in the security arsenal for data at rest in databases, files, and applications and for data in transit. Encryption is a perfect companion to strong perimeter and firewall protection. It is also one of the most important ways to protect against internal threats, which some estimates put as high as 73 percent of all breaches. Your firewall and perimeter security can’t protect you from the folks inside the fort, but encryption can.

Encryption resources such as keys, hash algorithms, certificates, and digital signatures are dynamic and fluid. They must be changed, cycled, or renewed regularly. Furthermore, they must be archived under time-based management so that they are available to retrieve historic data.

Encryption is hard for companies to perform on their own, as is the associated encryption key management. Keys proliferate exponentially as companies manage the data encryption lifecycle. If not managed properly, a new problem emerges: how to control and protect access to the keys to ensure they don’t get into the wrong hands and that they are available to when needed (today and in the future). The following overview describes eight best practices in encryption key management and data security.

Best Practice #1: Decentralize encryption and decryption

One critical issue in designing a data protection plan is whether encryption and decryption will take place locally and be distributed throughout the enterprise, or will be performed at a central location on a single-purpose encryption server. If encryption and decryption are distributed, the key manager must provide for the secure distribution and management of keys.

Solutions that provide encryption at the file, database field, and application level provide the highest level of security while allowing authorized individuals ready access to the information. Decentralized encryption and decryption provide higher performance and require less network bandwidth, increase availability by eliminating points of failure, and ensure superior protection by moving data around more frequently but securely.

Best Practice #2: Centralize key management with distributed execution

A solution that employs a hub-and-spoke architecture for distributed key management allows encryption and decryption nodes to exist at any point within the enterprise network. Spoke key-management components are easily deployed to these nodes and integrated with the local encryption applications. Once the spoke components are active, all encryption and decryption of the formerly clear text data is performed locally to minimize the risk of a network or single component failure having a large impact on overall data security. The key manager should manage the generation, secure storage, rotation, export, and retirement of the keys used for encryption at the spokes.

Best Practice #3: Support multiple encryption standards

Even if you choose specific encryption standards for your organization, you may find that mergers and acquisitions or the need to work with business partners in your ecosystem will require support of other standards. Choosing a security solution that supports all industry-standard encryption algorithms ensures your organization will conform to government and regulatory requirements now and in the future.

Best Practice #4: Centralize user profiles for authentication and access to keys

A “user” is any application or person requiring access to sensitive data. Access to these resources should be based on user profiles in the key manager. Users can be assigned and issued credentials (for example, RSA certificates) to provide access to encryption resources associated with their user profile. User profiles are managed through an administrative role in the key manager. In compliance with the PCI DSS mandate and as a best practice, no single administrator or user has access to the actual keys themselves.

Best Practice #5: Do not require decryption/re-encryption for key rotation or expiration

A key profile should be associated with every encrypted data field or file. This key profile allows the application to identify the encryption resources that must be used to decrypt the data field or file, making it unnecessary to decrypt and then re-encrypt data when keys change or expire. The current key will be used to encrypt freshly created data. For existing data, the key profile will be looked up to identify and load the key that was originally used for the encryption. This is a very critical feature for large databases and 24/7 operations and provides for seamless key rotation.

Best Practice #6: Keep comprehensive logs and audit trails

Extensive audit logging that occurs in every component of the distributed architecture is an important component of key management. Every access to sensitive data must be logged with details about the function, the user (individual or application), the encryption resources utilized, the data accessed, and when the access took place.

Best Practice #7: Use one solution to support fields, files, and databases

One benefit of the distributed execution model is that the security software doesn’t know or care what kind of data it is encrypting. To get started, define which fields need to be protected and specify how they are to be protected. Once activated, information is available based on user rights, allowing access (to the full value or a predefined masked value) or denying access. Look for a security solution that operates without requiring any alternation of any field sizes.

Best Practice #8: Support third-party integration

Enterprises often have a large number of external devices (i.e., POS terminals) dispersed throughout their network. These devices do not typically have standard database-oriented applications and are dedicated to a single function using proprietary software. Using a security solution that integrates with third-party applications will protect confidential information as it moves throughout your organization’s extended network.


Several best practices have emerged for encryption key management and data security. Many security vendors incorporate these methodologies into their solutions, making it much easier for you to protect the confidential data entrusted to your organization and comply with regulatory mandates.

- - -

Gary Palgon is vice president of product management for Atlanta-based nuBridges, where he is responsible for defining strategy for the company’s widely-used data protection and managed file transfer solutions. Reach him directly at

Must Read Articles