Addressing Key Management Before Moving to the Cloud
Blog Entry – Prioritizing Key Management When Considering the Cloud
One of the trends that I’ve noted when talking with customers is the desire to get cryptographic keys under better central management in anticipation of the cloud. At face value, one might wonder what the connection might be. Why build a key management plan before rolling out a cloud computing strategy?
It turns out that there are several good reasons:
- There’s no better time to build out a strategy for managing keys. Once an IT organization evaluates where their data exists and where the encryption lives, the more important better management tools become. It makes a lot of sense to get the existing key management issues under control as a precursory step before moving applications and data to the cloud.
- There’s a lot of concerns about cloud security models, especially with respect to who holds the keys. One of encryption’s central use cases is being able to protect the data no matter where it exists, and keeping the keys in house rather than in the cloud provider’s hands ensures a greater degree of protection from both internal and external attacks.
- Getting key management in place can help facilitate transitions to the cloud, because one thing’s clear, when it comes to cloud, there’s going to be more encryption of data, not less of it. Having solid tools in place to manage more encryption is sound thinking.
In general, encryption projects typically emerge within a company in pockets in order to address tactical issues. One business unit may deploy several encryption products to handle its most pressing issues, but another business unit has entirely different requirements and an entirely different set of encryption products in place. The administration of key material isn’t being done in a central location, so that’s why companies are taking advantage of the cloud transition to put such plans in place.
One approach that companies take is to rationalizing encryption where it exists, and that means getting the internally managed pockets of encryption in order The idea is to prepare for moving portions of a well managed environment into a well managed cloud environment, otherwise you’d be just magnify a broken administrative model to a new host. This can sound like an overwhelmingly difficult challenge when you look at the scope of how much encryption needs better management tools, but it can be broken down into steps. Start with the areas where there’s the biggest risk for outages from poor management in the most critical areas. This type of evaluation often leads to two major areas – places where organizations are doing secure file transfer (with locally managed keys) and applications which are using SSL certificates (which have a built-in expiration and need to be managed accordingly).
Besides, these are all building blocks to cloud services, because if you can’t encrypt a file, store it securely and transfer it to another location, it will be very difficult to secure your cloud environment. Good encryption practices backed with strong key management is the right move. For more details about how Symantec approaches this issue, see more information on PGP Key Management Server from Symantec.
A second approach that companies take is to look at how to build new cloud-hosted applications from the ground up (perhaps “the ground” is not a good literary reference when discussing cloud environments, maybe I should say “from the horizon line up” instead). There’s also a lot of work being done to make best practices and standards available to make encryption part of the fabric of the cloud security model. Cloud Security Alliance is a multi-party industry group with the mission to document best practices, establish guidelines for technology and policy, and foster the development of standards towards the protection of data in the cloud. Prior to the acquisition by Symantec, PGP Corporation was one of the founding members of the Cloud Security Alliance, and has close ties to the ongoing activities within this space. We continue to enjoy a strong connection to the developments and people working towards making encryption and key management a stronger part of the cloud security model. There’s a section within the guidance document that discusses encryption and key management as well.
In addition to the strategies above, Symantec has been working together with technology providers to extend the encryption services available for PGP Key Management Server. These solutions include:
- CryptoSoft developed the Enterprise Encryption Services (EES) platform to provide data encryption tools for web services and cloud-based applications, exposed through a variety of interfaces. EES uses the PGP Key Management Server for management of key material. With respect to web services, one example is that EES has an interface that protects data headed towards Amazon Web Services by providing a connector for Java Messaging Services. EES can perform other types of data protection transformations as well, such as processing XML documents on a message bus and encrypting specific fields with personally identifiable information.
- Protegrity is a software developer that offers its Data Protection System to protect information in applications, databases, storage and files. Protegrity has been working together with PGP to provide integration with the PGP Key Management Server. The Protegrity solution is particularly desirable for organizations that have existing databases and information flows which need to have encryption added to ensure compliance with privacy laws and security practices.
In addition to the encryption resources above, I strongly encourage you to also take a look at Symantec’s broader role in cloud security. Two web sites with a lot of information are Symantec Hosted Services and the offerings from VeriSign Authentication Services.
Cloud security is definitely a hot topic, and we certainly see a strong discussion emerging from our customer base. Is key management an important consideration for you? Post your experiences in the reply box below: