Encryption key manager migration – Five tips for success

Last updated: 13 May 2016

Encryption Key Manager Migration

Regardless of the reason for migrating your encryption key management platform, be it unhappy with your current solution, an EOL announcement (like RSA’s Data Protection Manager End of Life, for example), or just outgrowing an antiquated implementation, an encryption key manager migration is a daunting, time consuming task.

There are so many justified questions and fears to consider:

  • Will my new solution meet my needs?
  • How do I migrate my valuable data while keeping it secure?
  • What is the most cost-effective solution for my environment that will also meet our future needs?

With the current breach landscape, these are all relevant details that need to be addressed to ensure peace of mind and continued security for your key management needs.

Gemalto takes a phased approach to tackling encryption key management system migrations and providing answers to these crucial questions.

Here is a five-step method that should ease your transition burdens and reduce your fears:

  1. Discovery: Take advantage of this opportunity to evaluate your current situation and determine your true encryption and key management needs. In running through this exercise, consider what you would change about your current solution, what is truly important be it support, cost or security, and if needs or environment have changed in light of new trends such as virtual and cloud technologies, traditional databases vs. big data, or the various types of data be it file level, applications, or tokenization for example.
  • Tip: Strive for a centralized solution that can expand to meet 1, 3 and 5 year needs, avoiding encryption silos along the way.


  1. Scope Identification / Current Use Cases: Having a clear understanding of what is being used today, what has changed, the number and types of keys and applications in use or development, and where your data resides, is required. This includes confirming the databases, files, applications, and storage servers you are integrated with, determining what data is crucial to your organization, and categorizing your use cases by importance and complexity. Take note of where data resides be it on-premises, in a private or public cloud, or virtual, and keep in mind future plans.
  • Tip: Having the infrastructure in place to grow encryption within your own ecosystem through KMIP and 3rd party solutions provides for easy, cost-effective use case expansion.


  1. Cryptographic Key IconThe Plan: Determine and plot out your migration plan. Items to keep in mind are: ease of integration and use; product longevity and availability; key ownership; ability to meet compliance and budgetary needs; total solution costs including any hidden fees; an ecosystem with a large number and variety of options; and reliable customer support.  Buyer beware – not all key managers are created equal so be sure to dive into the nuts and bolts to avoid future disappointment. Ask yourself “What does this new solution offer and how can it strengthen my implementation? What new features and benefits will I be able to take advantage of that can save me both time and money?”
  • Tip: Ensure your solution provides you with true data and key ownership, and FIPS validation to meet your compliance needs.


  1. Prove it Works: Start with one location or remote office for your proof of concept. Once the single, simulated-environment key management policies are in place and optimized, take a gradual approach applying the learnings from your proof of concept, and run in parallel for a period of time in case anything was missed during testing. This will ensure minimal disruption in your day-to-day dealings and reduce the scope of work required.
  • Tip: Guarantee easy deployment with a single management console that can manage all of your key management, tokenization, file, database, and application encryption needs.


  1. Support: Migration is both time and resource consuming. Depending on your environment, professional services may be required to help plan and implement your key manager in order to ensure a smooth transition. Reliable 24/7 support is also important to deal with any issues that may arise.
  • Tip: Stating the obvious – key management and encryption aren’t easy. To ensure security and peace of mind, engage with a team to help with white boarding through to implementation. A company that has successfully undertaken similar migrations can offer first-hand expertise.


As mentioned above, a current example of an EOL that is forcing migration is RSA’s Data Protection Manager (DPM), BSAFE and tokenization products, approaching EOL/EOPS this year and in 2017, respectively. Although many of you are experiencing the anxiety of going through this exercise, you are also presented with an opportunity to reassess your architecture and plans.

There are many technologies available today that seemingly offer the same capabilities, so practice due diligence and ensure you take the necessary steps and make the proper evaluations.  Doing so will ensure that once you get through the fog of any encryption key manager migration, you will be back on solid ground with a solution that truly meets both your current and future data protection use cases.

If you are in the market for a new encryption key manager, consider Gemalto’s SafeNet KeySecure solution, which supports a wide variety of encryption products and key types; offers user friendly administration; is integrated into a number of industry-leading partner solutions; and is trusted by customers worldwide.


Leave a Reply

Your email address will not be published. Required fields are marked *