Cloud computing: Trust everyone, trust no-one or trust someone

Having outlined the need to take an information-centric approach to key management in the cloud, today I would like to share the first half of a series of six strategies that could help organisations take this approach.

The first strategy I would like to outline is the Trust Everyone Strategy, where existing applications, keys and management tasks are fork-lifted from the datacentre into the service provider. No special steps are taken to address the control challenges introduced by the Cloud.

However, as we all know, no matter what else you outsource you can’t outsource your responsibility, so this strategy is not really an option. I’m all for SLAs bridging the gap between business desires and technical reality but wholesale handover of sensitive operations is probably a bridge too far.

At the other end of the scale is the Trust No-one Strategy. No important cryptographic infrastructure is moved out to the Cloud. While very safe, and a good first step for hybrid deployment, this approach does not enable the greatest exploitation of all the Cloud has to offer.

For those who want something in between, the Trust Someone Strategy is possible. It is the first step in a genuine risk-based approach to moving keys into the cloud. Given some visibility of the operations of the service provider, you are able to make an informed choice about how much you release to their control, much like traditional outsourcing.

Here you accept that a group of administrators and security personnel can affect your security but, given sight of hiring policies, systems management processes and internal physical security, that may be acceptable.

Be on the lookout though for issues of multi-tenancy, the constancy of personnel management at the provider and the economics of providing strong separation between personnel and management systems. Also be sure you can find proof of whatever you’re relying on. What systems and processes give you independent proof that procedures are being followed and promises kept?

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Jon Geater has more than 10 years’ technical experience as a software architect and chief architect in the information security industry and has helped define many real-world security products and systems. As Director of Technical Strategy at Thales, Jon is a technical evangelist for the information technology security activities for Thales. Jon represents Thales at academic conferences and standards bodies, and is a co-founder of the OASIS KMIP key management group. Jon holds a BSc Hons in Computer Science.