Key management

Key management

Automated key management outside your databases and applications enables maximum security.

Key management is the weak point of current systems

One of the most important conceptual components of the eperi solutions is the innovative key management. Existing systems often have one of the following weak points:

  1. Often standard solutions of application and database manufacturers are insecure.
  2. Some manufacturers have realized that data protection is absolutely essential and provide an encryption option. The problem with these solutions is that key management as well as data en- and decryption are done inside the application respectively the database and thus within the administrator’s reach. They are not supposed to have unauthorized access.The assumed advantage of tightly coupling security solution and application resp. database is the biggest disadvantage, as the keys are stored in the product to be protected. Also, external encryption solutions, so-called Hardware Security Modules (HSM), don’t work. The en- and decryption are done outside the database, but the authorization management remains inside the database. Database administrators and potential attackers may still access.
  3. Using developer tools carries the risk of an insecure key management. Frequently, when developing software, developer tools are used to encrypt the data before being stored in the database.
    • Mostly no key management is integrated – all data is encrypted with the same code key. If this key is published for any reason, all data is immediately unprotected.
    • At the same time the developer tools enforce application modifications. Mostly this is not possible at existing applications, and the risk exists of voiding the manufacturer’s warranty.
    • The security solution becomes part of the own software. This assumed advantage is a big disadvantage. If the security solution has to be modified, the software must be modified too. Additionally, a close dependence on the security solution manufacturer results. As a trustworthy security solution is always linked with the correct and current realization, even slightest programming mistakes may result in a completely insecure solution.

This brief critique of popular systems shows that encryption effectiveness depends on encryption quality, but primarily on key management. If the attacker gains access to the (private) key, he may see, modify or copy the sensitive data.

eperi designs key management anew and makes encryption truly secure

At eperi all cryptographic operations – the entire authorization and key management – are exclusively done outside the database and the IT systems in the secure eperi Gateway environment. As the eperi Gateway basis is Open Source, each customer may track the correct implementation. All IT administrators may work as before, except now, only with encrypted data.

eperi retains the manufacturer warranty and ensures the security of investments

The eperi solution provides complete key management without modification or adaptation of existing applications, databases, interfaces or DLLs. The manufacturer’s warranty remains valid, and the security of investments is lastingly assured.

eperi consistently uses “Separation of Duties“ and enables maximum security

The eperi Gateways are an entirely separate security system, being administered independently of the database and the applications, including a strict separation of duties. Only the security administrator has access to the keys. He decides which user may read the sensitive data in clear text but has no access to the encrypted data in the database and the application. In short, the security administrator assigns the rights but sees no data.