Getting Started with a Customer Managed Encryption Keys Solution

Here are four essential capabilities your customer managed encryption keys solution should have along with a general setup process for getting started.


2 June 2015

Getting Started with a Customer Managed Encryption Keys Solution

Customer managed encryption key (CMK) solutions are becoming very appealing to many organizations since they present a strong stance for compliance with regulators globally where data sovereignty laws are varied.

As we’ve mentioned before, not all customer managed encryption keys solutions are alike. There are four essential capabilities your solution should have. For example, the cryptography solution must be compliant with regulatory requirements and certified to high security standards, such as FIPS 140-2 level 3. In particular, the way the solution is delivered is also extremely important. It will save your firm a lot of headaches if a sole provider is responsible for the entire CMK solution and that there is one single access point. Further, specialty hardware for key manager access, and a backup device for the HSM partition (in case the key were to ever become lost) should be commissioned.

Now that you’re familiar with what capabilities to seek in a CMK solution, before implementing, make sure that you’ve fully considered how this will work across the full content lifecycle — not in the sense of creating and destroying content, but in storing and consuming information. If your organization invests a lot of time into data consumption, you will spend just as much resources keeping all of this information protected through a CMK solution.

If and when you decide this is still a solution you want to move forward with, here’s the general setup process for getting started with a CMK solution.

  • The first step is for your organization to understand the resource commitment and processes that a CMK solution requires, then you will need to evaluate providers that meet the essential CMK requirements.
  • Once you make a decision on a vendor, the sole provider you work with will initialize your dedicated HSM partition, ship the control devices (Pin Entry Device or PED and the hardware key fobs to unlock it) and the backup device. The provider will require that your organization install its software and establish a secure VPN connection to your partition.
  • Once unlocked, your organization’s pin entry device will take a pin and connect to the provider’s service as a key manager to the partition. From there, you can create your organization’s key, assign a label to this key, and then inform the provider of the key label. To ensure protection should the key ever become lost, you will need to back up your key onto the backup device provided by your vendor and store the backup key in a safe place.
  • The provider will only know the name of the key (also referred to as key label) for the organization, but will never be able to see or access it. Once the provider has the name of the key, its support team associates that label with your organization and will present the key label to the partition when the application needs to perform cryptographic operations — to get data encrypted or decrypted.

From that point on, your organization will fully control its data, and will be responsible for all key management functions, such as key rotation according to your own policy.

How Intralinks Customer Managed Keys Solution Works

Intralinks’ own Customer Managed Keys (CMK) solution gives its customers a very distinctive capability that puts organizations in control of their data and resolves their concerns around regulatory compliance and data privacy.

Its CMK solution consists of both hardware and software components distributed between the customer’s premises and the Intralinks' data center. Intralinks CMK exists within both the Application Security layer and the Infrastructure Security layer. It is an important addition to the multi-layer key management system Intralinks has been using with customers for years. In addition to the auto-generated data keys that are used to encrypt files, Intralinks has an added step in the process that includes the customer key. This step continues to provide the ability to compartmentalize risk by giving each data file its own unique data key, while still allowing for a customer key rotation process that precludes re-encrypting terabytes of data.

Ease of use of the cloud with the confidence of an on-premises Intralinks’ CMK solution allows organizations to maintain control of their hosted content without disrupting information sharing with customers and partners — a ‘best of both worlds’ for security and regulation-sensitive customers.



Mushegh Hakhinian

Mushegh Hakhinian

Mushegh Hakhinian represents Intralinks at the Cloud Security Alliance SME Council, is a certified information systems security professional, and is a frequent contributor to industry publications. Prior to joining Intralinks, Mr. Hakhinian lead security functions at a multi-tenant online banking service provider and an international bank.