31) Does your organisation manage and control the use of, and access to, any cryptographic keys?
Answer yes if your organisation controls the use of, and access to, cryptographic keys. These keys are typically used to access IT infrastructure and services. Please provide a supporting document (as a PDF file) outlining the process, or describe the process in the notes section as evidence.
What is the control?
Your encrypted communications and storage depend on cryptographic keys to encrypt and decrypt the data.
Asymmetric (or “Public Key”) encryption in particular relies on 2 sets of keys; a public one used to encrypt data (using the recipient’s public key) and a private one, which the recipient uses to decrypt the message. The private key must be known only to the recipient, but it has to be ensured that the sender encrypts the data with the [recipient’s] correct public key, and that that key is still valid. This is where certificate authorities come in, validating the public keys.
Why should I have it?
If you lose your encryption keys, you essentially lose access to your own data. Whereas if they are compromised, anyone could potentially decrypt your encrypted data.
In the case of public key infrastructure, it’s also important to know if any private key pair is still valid before sending data (with the recipient’s public key) when the (private) decryption keys may have been compromised.
Public Key infrastructure is typically managed by a central authority within your organisation, which in turn trusts one of a handful of larger authorities linked together and generally trusted by everyone. This means that your organisation’s certificate authority can obtain and validate the public keys of almost any other organisation and individual on the internet.
The establishment of encrypted sessions and validation of certificates is likely something that happens seamlessly throughout your organisation, with many platforms employing these mechanisms. Just for example, any HTTPS web traffic, SSH secure shell sessions, and any number of authentication mechanisms will rely on cryptographic keys and key management.
It’s therefore critically important, in order to assure the integrity and confidentiality of your and your clients’ encrypted data, that your keys and certificates are well managed.
It is also important to carefully consider backup of your cryptographic keys so that you don't lose access to your data. In some circumstances, use of a key escrow may be appropriate. It is critically important that your backups or keys in escrow are protected with at least the same level of security as your operational keys.
How to implement the control
Implementing a public key infrastructure can be very complex with numerous interdependencies. It is strongly recommended to leverage expert knowledge and invest time in carefully planning any PKI deployment.
That said, some basic best practices that should be heeded are to ensure that all elements of the PKI infrastructure communicate securely using TLS and use 802.1X EAP for authentication. It’s also recommended to use Enterprise CAs (Certificate Authorities) rather than standalone CAs to streamline enrolment and increase consistency.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
