Common Challenges with Key Management: Usability (Part 2 of 6)
The Importance of Usability in Key Management Solutions
A common misconception when it comes to key management is that it is necessary to choose between the security and usability of a system. The more difficult that it is for an attacker to access sensitive data or functionality, the harder it is for users to do so as well. Under this model, many organizations choose to prioritize data usability over security. The same sensitive data that cryptography is commonly used to protect is also the data that is vital to the daily operations of a business. Losing access to this data - or even having usability issues cause slight access delays - degrades operational efficiency and hurts the business. As a result, organizations and their employees commonly undermine security in the name of increased ease of use. However, in a well-designed key management system, it is not necessary to choose between security and usability. If a clear distinction is drawn between legitimate and illegitimate uses of data and encryption keys, it is possible to provide free and painless access to keys for the first and block access for the second.
Common Key Management Mistakes
In the name of increased usability and efficiency, developers and organizations make a number of different mistakes regarding key management. Some common examples include the reuse of keys and passwords, storing this sensitive data in an insecure fashion, and failing to implement least privilege access controls.
Every password and secret key should be completely unique within an organization’s key management environment. This helps to ensure that, in the event of a cybersecurity incident, a compromised or malicious account can be rapidly identified and shut down with minimal impact to the enterprise and that one compromised key does not impact other data or systems.
However, the complexity of organizations’ infrastructure, the number of systems within it, and accounts that users need access to results in the bad practice of password and key reuse. It is much easier to have a single key shared between multiple users and to use the same key for multiple accounts; however, this significantly increases the probability that the key will be exposed and the overall damaging impact if it is. Password and key reuse results in reduced ability to audit access to sensitive data, and a reduced ability to isolate and triage the exposure caused by a compromised password or key.
Insecure Key Storage
Vital keys should be stored in a Hardware Security Module (HSM) to minimize the chance of compromise. An HSM has built-in protections against a wide variety of digital and physical attacks, and its built-in computing resources allow cryptographic operations to be performed without requiring the secret key to leave the secure enclave.
However, the number of keys that an enterprise must manage and the need for rapid access drives many organizations to store secret keys in insecure storage. This includes everything from hard-coding encryption and API keys into programs to storing authentication information in text files on a user’s machine. These decisions increase the probability that an attacker with access to a user’s system can expand their access by leveraging the poorly secured keys stored on it.
Failure to Implement Least Privilege
The principle of least privilege states that a user should only be granted and operate with the minimum level of permissions required to do their job. This includes both allocating permissions to employees based upon business requirements and having employees with privileged access only use accounts with these minimum sets of permissions when the task requires it.
However, with many different systems and their keys, it can be difficult to precisely define the access that each employee should have. As a result, employees are often given too great of access to keys, leaving them vulnerable to compromise or misuse.
Case Study: Comodo
In 2019, Comodo suffered a data breach that exposed internal sales data, organizational charts, employee information, and more. While no customer private keys were exposed (Comodo previously was an SSL certificate issuer), information about customers and vulnerability scans was exposed in the breach.
The breach stemmed from a failure to properly manage passwords and encryption keys for the organization’s cloud storage. The company had an account on the Microsoft cloud, where the password was shared across by multiple employees. The purpose of using a single, shared account was to simplify management, since creating an individual account for each employee and granting access to the appropriate resources would have been time-consuming.
However, the use of this single account made it much easier to breach. The account information was accidentally exposed when a developer uploaded credentials to a public Github repository. The issue was discovered and responsibly reported to Comodo by a security researcher. During his investigation of the account, the researcher found evidence that it had been previously compromised and was being used to send spam and phishing emails.
Improving Key Usability with Ubiq
Achieving key management that is both usable and secure requires a solution that is easy to use and supports granular access controls. Granular access controls enable the implementation of least privilege since users, systems, and applications are not collected into groups where the group’s permissions must support the operations of all of its members.
These granular access controls are best defined by issuing each system, user, or application with access to data a unique key which is assigned a particular set of permissions (read, write, etc.) to each key. Granular access controls provide many advantages with the two main ones being:
- Minimized Risk: Limiting access rights to data minimizes the damage that can be done with a particular application. For example, an application that only requires read access to data (and is limited to that) cannot be used to encrypt that data in a ransomware attack.
- Easy Updates and Revocation: Users’ and applications’ access needs and permissions can change over time. A key management system with unique keys means that changing or revoking access only impacts one key, not all users of the system.
Ubiq provides a simple and easy to use key management system with the ability to issue unique keys to all users of data and manage their permissions independently. To see the Ubiq Platform in action, check out this demo.