Compliance laws are also driving companies to reevaluate their key rotation policies because encryption is a focal point for industry and privacy mandates. But it is critical to outline a strategic approach to key rotation issues and tools ahead of time. The National Institute of Standards and Technology provides definitions of appropriate key lengths and provides guidelines for how long keys should be used. And the PCI Data Security Standard is one example of a compliance initiative with requirements for encryption key rotations. In fact, for some companies there are multiple compliance initiatives that need to be supported simultaneously, which adds to the complexity and frequency of key changes.

The real source of pain for IT managers is the considerable time and effort that each key rotation takes, especially when dealing with poorly designed key management tools or even home-grown systems. Multiply the number of policies that need to be enforced and it becomes a harrowing exercise with considerable cost and resource utilization.

Many companies find that encrypting data is easy. Maintaining the keys is the hard part and is often the area overlooked when encryption projects start. What's worse, the pain associated with key rotation often grows over time because there may be multiple key repositories, too many keys to manage, and too few resources to handle the rotation manually.

The amount of manual effort involved in handling keys is attributed to the quality of the management tools and how they deal with basic services such as provisioning, key storage and workflow. In the end, homegrown efforts to satisfy these requirements tend to be inflexible, operationally costly and brittle, and cannot address the changing encryption landscape as new needs emerge.

The way to address these issues, both for existing key rotation problems and to prevent new ones from occurring, is to establish a solid enterprise key management infrastructure.