19.06.2023 | Michael Veser
How a Key Management System Can Help You With FADP Compliance
The new Federal Act on Data Protection (FADP) comes into force on September 1, 2023 and is the talk of the town, not least because of the personal criminal liability enshrined in the law in the event of violations. Even if the revision initially seems daunting for many companies, a closer look reveals numerous overlaps with existing security frameworks.
What is changing in terms of secure data storage
The principles of “privacy by design” and “privacy by default” have been newly introduced, which should lead to a critical examination of the processed and stored data in advance. Only data that is really necessary should be processed and stored. In addition to data economy, the focus is also shifting to IT security. A lack of encryption, insecure systems and a missing process structure are always a risk for data breaches. With correct planning and implementation, a key management system can help you achieve a higher level of IT security and data protection.
Even if the specific minimum requirements for data and infrastructure security still have to be defined by the Federal Council, the level of protection can already be proactively raised today based on already known security standards such as ISO/IEC 270XX or ICT basic protection. The far-reaching need to encrypt and decrypt personal data is already foreseeable due to the generally defined requirements in the law. The objectives of confidentiality, integrity, availability and traceability of personal data defined there require numerous accompanying measures that go beyond the field of cryptography.
As the company-wide establishment of cryptographic processes and the corresponding technology require a great deal of preparation and perseverance, it makes sense to deal with the topic and the organization-specific obstacles now.
What is a KMS?
In simple terms, a key management system (KMS) bundles all key material usage scenarios in a central system that ensures the above-mentioned protection objectives through technical and process-oriented measures. This avoids isolated solutions and the implementation of the necessary security measures can be controlled centrally.
As an integral part of the security architecture, a KMS can help to meet the requirements of the DPA.
From a technical perspective, it ensures the secure generation and storage of key material, ideally through the use of a hardware security module. The key material can then be provided securely and logged for all authorized key users. As part of key lifecycle management, numerous technical and organizational measures are also taken to define and monitor the entire lifecycle of the key material.
The introduction of a KMS requires in-depth conceptual work in advance, while the actual technology only makes up a small part of the overall project. The best technology is of no benefit if the underlying processes have not been designed securely.
What are the obstacles?
In practice, there are often justified objections to the theoretical requirements. For example, the effects of far-reaching encryption, including all the disadvantages, should be carefully examined. In addition to operational stability, the impact on performance and support processes must also be considered in consultation with the respective operating teams. In addition to reduced performance, points such as possible data loss in the event of incorrectly configured encryption must also be considered. It must also be possible to restore backups quickly, and emergency processes should rule out negative causal chains in the event of major disruptions as far as possible.
From a technical perspective, interfaces must be made available for all key users. However, it is important to know all the key users and to take them into account during the product evaluation phase. During the actual introduction, it is also important to ensure the cooperation of everyone in the company through targeted communication and training measures. Experience has shown that the foundation for this can already be laid in the initial concept phase by listening to and taking objections into account.
What is our recommendation for implementation?
- Find and document all systems that process or store personal data.
- Define the protection requirements.
- Only store and process data and attributes that are required.
- Check to what extent encryption is already being used today.
- Optimize your data processing procedures.
- If there is a need for a KMS, evaluate the available products.
- Introduce the KMS step by step.
- Update your processes and train your employees.
- Have the implementation checked by an external expert.
Conclusion
Many of the new requirements were already important before the revision of the Data Protection Act in the form of existing security. The new Data Protection Act increases the pressure to implement appropriate protective measures, particularly through personal liability.
If you identify a need for action in your company, we will be happy to assist you as a competent partner. Regardless of whether it concerns PKI, KMS, IAM or an external audit of the measures already in place - we are happy to make our extensive know-how available to you.
Compliance Security Architecure Public Key Infrastructure (PKI)