Encryption has become a progressively more significant weapon in the security armory for data security. Encryption is a perfect companion to strong perimeter and firewall protection. It is also one of the most meaningful ways to protect against internal threats. Database firewall and perimeter security can’t protect you from the threats inside the company, but encryption can.
Good key management is essential for companies applying database encryption since access to encrypted data eventually comes down to access to the key. Good key management keeps away from disruption and business costs. On the other hand, compromising a key can put sensitive information at risk and losing a key entirely can mean that the data is lost forever. The following overview explains best practices for encryption key management and data security
Decentralize encryption and decryption
An important issue in designing a data security plan is whether encryption and decryption will take place locally and be dispersed all through the enterprise, or will be carried out at a central spot on a single-purpose encryption server. If encryption and decryption are dispersed, then the key manager must provide for the safe distribution and management of keys.
Keys that provide encryption at the file, database field, and application level offer the highest level of protection while allowing ready access to information to authorized users. Decentralized encryption and decryption provide superior performance and need a lesser amount of network bandwidth. It increases availability by eradicating points of failure, and ensure the better protection by moving data around more often but securely.
Centralize key management with dispersed implementation
A solution that employs a hub-and-spoke architecture for dispersed key management allows encryption and decryption nodes to subsist at any position within the enterprise network. Spoke key-management mechanism is quickly deployed to these nodes and integrated with the local encryption applications. If the spoke components get activated once, then all encryption and decryption of the previously clear text data are performed locally to reduce the threat of a network or single component breakdown having an enormous impact on overall data protection. The key manager must manage the generation, secure storage, rotation, export, and retirement of the keys used for encryption at the spokes.