Challenge Key Revocery
The Security Issue
Organisations, applications and infrastructures are subject to large scale hacking attacks that regularly successfully compromise their target. Appreciating this fact makes it evident that in-depth defensive measures are essential to protect data and information against cyber threats. Additionally, laws and regulations addressing this issue are increasingly being implemented, especially with regards to critical infrastructre. Taking no action is negligent and can lead to liablilities. In case of a successful cyberattack, encryption is the last line of defence and therefore an essential part of multilayered cyber security strategies. The confidentiality and availability of secret cryptographic secrets (keys) are crucial for companies in times of expected attacks. Losing access to keys means losing access to encrypted data or systems. Measures to ensure the availability of keys must not compromise the confidentiality. Third parties who gain knowledge of keys gain access to secure data or systems. This compromises the confidentiality, availability and integrity of critical data.
active liability management.
Existing Solutions
Current standard storage and archiving procedures do not meet the described security requirements. Cryptographic secrets, such as keys, are regularly handed over to third parties (service providers or service infrastructure) for storage. If this third party is compromised, all your keys and your customers' keys are immediately exposed. Therefore, this procedure askes you to trust the third party provider unconditionally, which fundamentally contradicts modern cyber security principles (Zero Trust, Trust No One). If the keys are secured with a password as an additional key to counteract the assumption of trust, the risk of key loss is just being shifted to other weaker keys. In addition known risks of password use, such as reuse, insecure password selection, phishing, etc., encryption passwords cannot be reset. This presents a major challenge to usability and regularly leads to data loss. The procedures mentioned above contradict the approaches and requirements of Zero Trust and Trust No One principles. In cloud environments, your customers also have limited influence on key management, which exists between you as the service provider (SaaS) and your cloud partner (PaaS/IaaS).