Key management recommendations

advertisement
Key management recommendations
Information and Educational Technology recommends that each campus unit create a
plan ("key management plan") to manage the electronic keys that let them access their
encrypted information. A well-crafted plan, adapted to your environment, will help
protect secure access to encrypted information, and help your unit and individual users
satisfy university policies and state and federal law.
The key management plan should include these provisions
 A requirement that anyone who stores encrypted institutional data must provide
the keys, or other means to access the data, to a person designated by the unit (the
"key manager"). The key manager could be the unit's technology support
coordinator, management service officer, department chair, or someone similar.
 A template key management agreement between the key manager and each user
of encrypted stored data that states: where the data is stored; the tool used to
encrypt it; acknowledges that the data shall not be accessed for reasons that
conflict with law or university policy; and acknowledges that the user knows and
understands relevant university policy.
 Any escrowed key will only be used with consensual or non-consensual
approval(s), as specified in PPM310-24.
 One or more strategies to ensure that data can be recovered if the keys are lost or
unavailable. These strategies include secure backup procedures, or master keys.
 A provision stating how the key manager will secure all the instructions related to
decrypting or accessing encrypted data.
 One or more methods to handle keys that have been, or might be, compromised.
 One or more methods to destroy or revoke unused keys.
 Procedures to develop, document and disseminate the unit's key management
plan.
The plan should also clarify the responsibilities of the key managers and encryption
users:
Key manager responsibilities
 Knows the university's data encryption recommendations and related university
policies (see below).
 Ensures that all encryption keys are secure, however they are stored.
 Understands all processes related to key management.
 Creates a key management agreement, with each user of encrypted data, which
identifies where encrypted data is stored, the encryption tool used, and all
information needed to access the data when access is allowed or required by
policy or law.
 Reviews, at least once a year, information in the key management agreement with
the encryption users, to ensure that the information contained is correct and
sufficient.
Encryption user responsibilities
 Agrees to a key management agreement with the key manager that states where
the encrypted data is stored, the tool used to encrypt it, and acknowledges that the



data shall not be accessed for reasons that conflict with law or university policy.
Knows the university's data encryption recommendations and related policies (see
below).
Knows the key management plan for their area and any encrypted data they use or
store.
Tells the key manager when encryption is no longer used, or if information in the
key management agreement changes (eg, there are changes to the keys, or to
where the encrypted data is stored).
IET is not recommending any particular technology or specific method for key
management, nor are we recommending or supporting a central key repository. Different
technologies and arrangements will best meet the needs of different units. Here are some
available options:
Key Management Storage Options
AD for departments who have their own AD
domain.
Uconnect for departments that participate in
this service.
Data Center SAN (file system storage) for
Non-Window systems.
Data Center SAN (file system storage) for
Windows systems not joined to an AD domain.
Contact
Department technical staff. ITPS is available to
consult. Contact itps@ucdavis.edu or (530)
757-8907.
Department technical staff. ITPS is available to
consult. Contact itps@ucdavis.edu or (530)
757-8907.
Department technical staff. ITPS is available to
consult. Contact itps@ucdavis.edu or (530)
757-8907.
Provided by ITPS or department technical staff.
Contact itps@ucdavis.edu or (530) 757-8907.
For additional information, please consult the following references. You are also
encouraged to contact campus security staff to discuss how you use and manage stored
encrypted data.
References
IS-3 Electronic Information Security
http://www.ucop.edu/ucophome/policies/bfb/is3.pdf (Revised Feb. 3, 2011)
Encryption at the University of California: Overview and Recommendations; Section 7 of
this document addresses key management (April 20, 2006)
UC Davis PPM 310-24 Electronic Communications—Privacy and Access
http://manuals.ucdavis.edu/PPM/310/310-24.pdf
UC Davis PPM 310-75 Whole Disk Encryption
http://manuals.ucdavis.edu/PPM/310/310-75.pdf
NIST Guide to Storage Encryption Technologies for End User Devices
http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf
NIST Special Publication 800‐57: Recommendations for Key Management
http://csrc.nist.gov/publications/nistpubs/800‐57/SP800‐57‐Part1.pdf
http://csrc.nist.gov/publications/nistpubs/800‐57/SP800‐57‐Part2.pdf
http://csrc.nist.gov/publications/nistpubs/800‐57/SP800‐57‐Part3.pdf
NIST Cryptographic Algorithms and Key Sizes for Personal Identity Verification
(February 2010)
Download