How might we better think about key management in the cloud?

As outlined in my last post, crypto and key management clearly have a lot to offer in terms of the Cloud, but in a bid to get ahead sometimes important details get overlooked. To ensure that cryptography and key management are deployed to best use in the Cloud, we need to take a step back and remember why these solutions exist and why we use them the way we already do.

What drove people to choose one approach over another? Why have best practices and standards of due care developed in the way they have? In key management, as in all matters of security we need to return to the why before we can decide on the what and the how.

Why do people need key management? Why has the field grown so much over the past few years? This one is obvious: more people are using more cryptographic keys than ever before, and cryptography is meaningless without strong key management. And why the rise in cryptography? Because in today’s information society there is ever more information in need of ever more protection.

We don’t practise key management for its own sake: we do it to make cryptography useful. And we don’t use cryptography for its own sake either: we use it to support our businesses, to protect the information that is the lifeblood of the modern economy.

Each key, each use of cryptography means something. It’s a proxy to some promise made to underpin our electronic business and personal transactions. A signature means “Alice really made this”. Encryption means “Only Bob can read this”.

This is the way we need to think about key management in the Cloud. It’s all about information-centric protection, nothing to do with the mechanics or bits-and-bytes. Without doubt, cryptography and key management are the right tools for the job, but we should be asking, “How do I use these tools to uphold my promises?”

By approaching the problem in this way we can reduce the legion bamboozling issues to the familiar concept of trust, and start formulating a primary approach to Cloud key management and security without worrying specifically about the technologies we will be using. Over the next few days, I will be outlining six strategies that could be implemented to do just that.

I look forward to hearing your thoughts…

Jon Geater has more than 10 years’ technical experience as a software architect and chief architect in the information security industry and has helped define many real-world security products and systems. As Director of Technical Strategy at Thales, Jon is a technical evangelist for the information technology security activities for Thales. Jon represents Thales at academic conferences and standards bodies, and is a co-founder of the OASIS KMIP key management group. Jon holds a BSc Hons in Computer Science.