As data security requirements extend from a data center to retail locations and branch offices, the problem of key management is exacerbated. Data entering an enterprise IT infrastructure at a Remote Office/Branch Office (ROBO) should probably be encrypted prior to short or long term storage. The data will need to be decrypted for use at the ROBO itself, and in many cases, decrypted at central data centers for bulk processing and aggregation applications such as data warehousing. As many large banks and retail operations have stores numbering in the thousands, it may be tempting for them to re-use encryption keys amongst branch locations, perhaps using a single key to encrypt all data at all locations. As store locations are inherently less secure than data center facilities, the risk of key compromise and data theft becomes more likely. The more locations where a single encryption key is stored, the more opportunity there is for physical theft or electronic break in. Compounding the issue is that the more data encrypted with a single key, the more valuable compromising that key becomes to would-be identity thieves.
Since it is rare that individual stores and branch offices need to share data with each other, there is typically no requirement that they share encryption keys. Indeed the ideal solution from a security standpoint is to have all data of similar form at each branch encrypted with a key unique to that location. With dozens of fields that may need encryption and potentially thousands of branches, the best practices security solution creates a key management nightmare for medium and large enterprises. Tens of thousands of keys must be kept in a database at the data center and selectively and securely distributed to the correct branch offices. This difficulty of modifying a key property or policy is now multiplied, and the probability of error is high. Adding new keys for new applications and rotating keys likewise quickly become intractable problems.
These and other issues are addressed, resolved, and/or ameliorated using techniques described herein.