As the final in a series of posts on key management in the Cloud, following are the remaining three possible strategies that organisations could look to adopt when thinking about how to secure their information in the Cloud.
The Just In Time Strategy is where keys and sensitive materials are stored on premise, only being released into the Cloud for a short time when needed. Quite a few companies are starting to offer such solutions with a large on-premise management system and a small software plugin for the Cloud applications which can fetch and use keys when needed. This is a promising model but it’s early days: watch out for highly proprietary systems, vendor lock-in and the need to modify applications directly to take advantage of the solution. And remember - the keys have still been exposed to the Cloud, no matter how briefly.
Next we have what I call the Mole Strategy, because you use tunnels. This is the logical conclusion of hybrid systems and provides a solution to the exposure issues of JIT. With a trusted hardware lynchpin or suitable access to a user-controlled secure element in the cloud, you can assert some control over key management by connecting to a trusted island in a whole sky of Cloud. This is not yet a reality but for security-conscious users it would be a real boon.
Finally, we have the Big Brother Strategy. Sometimes overlooked, the deterrent effect of strong auditing and oversight should not be underestimated. The use of hardware devices, cryptographic signatures and independent access control for audit keeping can vastly improve the trustworthiness and reliability of a log and provide an added deterrent. While this approach cannot prevent an event from happening it does provide excellent visibility which enables the organisation to make informed risk decisions about what data they can trust in the Cloud.
Whichever strategy you choose for your move to the Cloud, remember that your cryptographic keys are more than data, they are your promises. Keep them well.
Jon Geater
Thanks for sharing your thoughts on this. One key issue that a cloud customer will need to address is how to retain ownership of the data (and responsibility to that) while allowing the service provider to take on the operational and perhaps even the management aspects of daily work.
Similar situation currently exists in bank card production, where a bank may outsource the card issuance to a 3rd party service provider (ie. a card bureau). The process will involve the bank sending to the bureau some sensitive customer data (names, credit numbers, etc), which will be processed by the bureau to print on the bank cards. At the same time, a more complicated process is at work. Here, the bureau will make use of the bank's cryptographic keys to generate codes that are unique to the bank and the card. It is interesting to note that for all the banks I come across, each is insisting to have its own key management box (HSM) to be installed and used at the bureau.
The bureau may end up with having dozens of HSMs installed at its facility, but so far this is an effective way to ensure that ownership and operation can be segregated and the whole operation meets compliance. Until the industry comes up with and accepted a proven and sharable-key-management scheme, this practice is likely to continue.
Posted by: Welland Chu | July 06, 2011 at 07:08
Hi Welland,
You're absolutely right, people are very keen to extend the same levels of control they have in the datacenter into the cloud. With specialized equipment this obviously starts the break the Cloud model (except perhaps IAAS) becasue you're hevily customizing the service offering.
This is where programmable crypto devices and hardware roots of trust may become valuable tools in the Cloud security arsenal - general purpose devices which can service many applications. The problem, as you say, is defining that interoperable interface.
Until then the standard compromises apply. This will certainly be an interesting side of the industry to shake out long term.
Posted by: Jon Geater | July 06, 2011 at 11:03