Key management strategies in the Cloud
There is a lot of discussion at the moment about key management in distributed on-demand computing environments (aka ‘the Cloud’), but much of this seems too deeply product- or technology-focused for my liking.
By taking the “solution-first” approach, I believe we’re addressing the problem in the wrong way. What I would like to see is a return to our roots; looking at why key management has become important and re-validating the use of cryptography to solve Cloud security issues -- both in government and the enterprise. We must re-examine the way we employ these tools in this new context and make sure that the technology is solving the problems, not defining them.
In any area of life people tend to focus on their area of expertise. To a man with a hammer, every problem is a nail. Those in cryptography and key management are no different. When Cloud computing became big news, everyone looked at their tool bag and applied existing policies, processes and products to the new environment.
Take a step back
Why do people need key management? Why has the field grown so much over the past few years? And why have best practices and standards of due care developed the way they have?
This much is obvious: More people are using more cryptographic keys than ever before, and cryptography is meaningless without strong key management. And why the rise in cryptography? Because in today’s information society, there is ever-more information in need of ever-more protection.
We don’t practice key management for its own sake. We do it to make cryptography useful. And we don’t use cryptography for its own sake either. We use it to support our businesses, to protect the information that is the lifeblood of the modern economy.
Each key, each use of cryptography means something. It’s a proxy to some promise made to underpin our electronic business and personal transactions. A signature means, “Alice really made this.” Encryption means, “only Bob can read this.”
Key management and solving the problem
And this is the way we need to think about key management in the Cloud. It’s all about information-centric protection, not the technology. We should be asking, “How do I use cryptography and key management to uphold my promises?”
By approaching the problem in this way, we can focus the discussion on the familiar concept of trust and start formulating a primary approach to Cloud key management and security, without worrying specifically about the technologies we will be using.
Potential approaches include: