Where are my keys and certificates? How are they protected?
"Key management is the hardest part of cryptography and often the Achilles' heel of an otherwise secure system."
— Bruce Schneier, Preface to Applied Cryptography, Second Edition.
The majority of security failures in cryptography can be traced to key management errors, such as hard-coded keys, poorly protected credentials, and insecure keystores. The first step in preventing these issues is to have an up-to-date inventory of all your cryptographic keys and certificates.
Cryptographic key inventory is a list of where all of your cryptographic keys are in the whole of your IT infrastructure across applications, networks and hardware.
It should include information about where keys are stored, what they are doing and who has access to them.
At Cryptosense, we have followed several of our customers as they create or upgrade their cryptography inventory. We have seen that in practice, every organization’s cryptography inventory will be a little different, depending on how and where cryptography is used relative to the business-critical functions of the organization. Indeed, successful cryptography inventory projects typically apply a different methodology to different parts of the application estate or infrastructure, in order to prioritize resources to the most important areas.
In this whitepaper, we will discuss the lessons learned from these projects and the best practice approaches that will enable you to guide your own cryptography inventory project.