Key management for physical access control

Whether a physical or digital key, policies and practices for their use must be in place

Suppose that somebody in security or IT can be found that does have the authorization to change the key value. It is highly likely that procedures for generating a new key value and for getting it into a form that can be used for key rolling are not frequently practiced even if they are known. All aspects of key breach detection and key rolling need to be addressed in practice to ensure that the written policies are possible and cost-effective to implement whenever the need arises.

To reconnect with the realities and practicalities of the key management for digital keys, it may be helpful to work backward from a key breach scenario. The surfacing of a roadblock to key rolling and recovery from a key breach well before an actual security issue arises has obvious advantages. It may also help to shine more light on other areas in an existing key management program where policies and practices are less than optimal.

Key Management Benefits

This overview of key management processes provides a starting point for evaluating your company's current key management practices - whether you are working with a turnkey system from a vendor, or have implemented selected policies internally. It may also raise questions about the value of developing a comprehensive key management strategy. According to BITS, a security working group for the financial services industry, a good key management program can assist in accomplishing the following:

- Improve usability and effectiveness of key and key usage;
- Increase reliability and efficiency of key structure and key implementation;
- Reduce costs by leveraging common infrastructure and administrative processes;
- Reduce complexity and improve transparency by re-using well-defined processes and interfaces;
- Automate manual steps to reduce human error and improve consistency;
- Support a variety of keys consumed by a variety of encryption/decryption processes delivered by commercial, open-source and customer-developed applications on multiple platforms;
- Allow for segregation of key management from encryption/decryption operations;
- Improve transparency by aligning and integrating with the businesses processes; and
- Provide evidence of having implemented sound and secure practices.

Strong keys coupled with best-practice key management are at the foundation of token-based access control systems. Strong keys alone are not sufficient. If you are running a keyed security system, then either you buy a key management system and put in place a continuously-running key management process, or you seek a vendor that can provide these services. Running a keyed security system without a key management system underneath should not be considered an option.

Tam Hulusi is senior vice president of strategic innovation and intellectual property at HID Global, the trusted leader in providing access and ID management solutions for the delivery of secure identity.




Further Reading

Matt Blaze's classic paper on master keys is a beautiful case study of the similarities and differences of physical and cryptographic keys: