Key Custodians: Who, What, Where, When, Why, and How
I have worked with a lot of customers and, without a doubt, the most important and frequently neglected facet of managing an appliance I see is key custodianship. Often neglected and forgotten about, the role and accompanying credential is the most important piece to operations—but so infrequently used that it’s easy to forget it even exists. I get it! The problem is that once your key custodians are needed, the time to know what a key custodian is has already past, and not having that information ready can have dire consequences.
Before even knowing what a key custodian is, it would be wise to know who your key custodians are. In an emergency situation, not knowing who to even contact can jeopardize your business processes and turn an operational headache into an operational nightmare. If you can’t name your primary key custodians, your backup key custodians, and how to access a third backup copy of the key custodians (probably kept in a safe), then now might be the time to gather that information and keep it in an easily reachable place.
A key custodian is comprised of both a role (the physical person) and a credential (stored on a USB drive issued to them). There should be at least three people occupying key custodian roles, and, ideally, each custodian is assigned a backup person in case of emergency. The credential that they protect (the USB drive) is one piece of a critically important secret required for each appliance to cryptographically process. Without the entire secret, an appliance does not have the access required to encrypt new data or decrypt old data. So, you can imagine how important it is that the secret is kept safe and isn’t lost! In fact, if one of the key custodians loses their credential, and no backup exists, there is the very real risk that all the data in the appliance will be permanently lost. I don’t say that to scare you—I say it to remind and prepare you; losing a key custodian component has happened before and there will be nothing to be done if it happens to you.
A key custodian can perform their role from anywhere in the world with certain important caveats. The key custodian must be in possession of their USB Drive and a laptop, desktop, or another network-accessible device with our special key custodian Set PIN Tool. This device needs to be able to connect, likely through VPN, all the way to the Tellaro that must be activated. Considering that the Tellaro typically exists in a secured network, it may be technically difficult to provide this level of access. Regardless, you should have an infrastructure set up so that your key custodians will be able to submit their credentials from wherever they may be when an emergency happens.
Fortunately, it is not common that a key custodian needs to perform his or her duties. The Tellaro, once set with this secret, will keep the secret for as long as the Tellaro’s application is live. But, in cases where the Tellaro is upgraded, restarted, or brought down by a hardware fault, the credentials that form the secret will need to be resubmitted. Hopefully there will be ample notice and planning prior to any event where the key custodians are needed, but being prepared for the unexpected is always a good idea.
It’s natural to ask why all this headache is necessary. The Tellaro could have been designed in such a manner that key custodians would not be required for the device to function after a restart. In order to accomplish that, however, this critically important secret would need to exist somewhere on the appliance in an accessible, unencrypted form. At StrongKey, we don’t compromise on our vision of security. In order to protect your data, we split this secret up and put it in the hands of multiple people, so that no single person has full control. It may be tempting to reduce the operational complexity of the key custodians by giving control of all secrets to one person, but first stop and ask yourself whether the added risk is worth your business.
How to be a key custodian is slightly outside the scope of this article. But if you want to know the details or need a refresher, you can check it out in our customer reference manual.
If you have any technical questions regarding your StrongKey service, please reach out to me and the rest of the StrongKey team using firstname.lastname@example.org. We are happy to help!