There is a lot of talk in certain circles at the moment about key management in distributed on-demand computing environments (aka ‘the Cloud’), but much of this seems too deeply product- or technology-oriented.
All this ‘solution-first’ talk approaches the problem in the wrong way. We need to return to our roots, look at why key management has become important and revalidate the use of cryptography to solve Cloud security issues.
There is no doubt that cryptography and key management are vital tools in the Cloud information security battle and companies with long experience in crypto and key management have much to offer this immature space. But we must re-examine the way we employ these tools in this new context and make sure that the technology is solving the problems, not defining them.
In any area of life people tend to focus on their area of expertise. To a man with a hammer, every problem’s a nail. The security industry is no different. When a new problem comes along everyone looks at their toolbag and tries to fit what’s in it to the new scenario.
So when Cloud Computing became big news everyone was quick to apply existing policies, process and products to the new environment. To no small degree we’re rather guilty of this in my own area of expertise: cryptography and key management.
I’ll be writing a series of blogs over the next few days about a different, and perhaps more effective, approach. If nothing more I hope this will be food for thought for our information security readers, but if you feel inclined to let me know your thoughts then I welcome them in the comments section below…