Welcome to the Thales Key Management digital media news centre.
As companies look to protect their customer data and other sensitive information, encryption is being deployed more widely. Yet if an encryption key is lost then that data cannot be recovered. Avoiding this problem demands formalized processes and robust technologies for key management making the protection, management and secure use of cryptographic keys a fundamental component of modern IT security.
This Thales media center provides information on international industry issues and trends relating to the general topic of key management. There's a also a Q & A page here which aims to answer some of the frequently asked questions on the subject. Key management affects organizations across all sectors and this site includes information on global best practices, regulation, technology, deployment scenarios and key management strategy.
Thales leads in the provision of information and communication systems security solutions for government, defence, critical infrastructure, enterprise and the finance industry. Thales’s comprehensive portfolio of security products and services protect electronic information – safeguarding transactions, IT operations and information transfers within highly sensitive and regulated environments.
Sometimes it takes a very public breach for the shockwaves to force an industry to tighten up security. I welcome the news that the Certificate Authority (CA) industry body that initially specified the standard for Extended Validation (EV) certificates has now published requirements (or standards of due care), for the issuance of publically trusted certificates. Certificate authorities that have signed up to the new requirements have 6 months to comply.
It's good news that Google have announced their continued expansion of the use of SSL which means that certain Google searches (and the results) will be encrypted. There's already been pressure to turn on encryption at corporate and domestic WiFi hotspots to prevent theft of passwords and other information by sniffers on the local hotspot but it must be remembered that this still only protects communication between the user's computer or phone and WiFi access point. Traffic flowing on the wired network across the various hops and interconnection points that make up the internet to get to websites such as Google is typically unencrypted. The solution is for web site operators to deploy technologies like SSL to provide end to end encryption from the consumer all the way back to their site. It's good to see that https (aka SSL), is now gradually replacing http, even for free services like Google search.
Since the European Commission outlined its overhaul of EU data protection laws in June (see earlier post here), debate has continued about the scope and impact of the reforms, especially in reference to cloud computing.
The draft document is not due out until November but there has been considerable speculation on the details of the Directive, particularly over whether it will shift liability to the cloud provider in the event of a data breach.
Data breaches have certainly dominated the headlines during the past few months. The dust hadn’t settled around Stuxnet when the Sony and RSA incidents occurred. We have also seen less complex mobile phone “hacking” that has closed a national newspaper and dominated a government’s agenda. Now, recent reports have shown an increase on smartphone attacks with increased app, Android and iPhone incidents as hackers attempt to ascertain the treasure trove of personal information users are now keeping on their mobile phones. Is this the next fraud frontier?
A researcher has revealed this week how easy it can be to find the private keys that are supposedly securing organisations’ sensitive data. No clever hacks or tricks of the trade are necessary, just a simple Google search.
After he claimed that a web search on ‘BEGIN PGP PRIVATE KEY BLOCK’ gave 29,500 hits, I decided to test this out myself (with a few tweaks) and the number of keys out there is indeed staggering. It’s not clear how many of them are real or provide access to valuable information, but presumably some proportion of them do. And that’s worrying.
Code signing is one concept not earning enough attention amid all the coverage of advanced persistent threats (APTs). A main reason APTs are an issue is because attackers can easily change application code or device firmware (that’s what makes them "advanced") without being noticed (that’s what makes them "persistent") and the threats are significant and don't necessarily involve just corporate data theft (think about malware on critical infrastructure, such as a flight computer in a plane, smart grids, or even traffic lights). Since the code runs on open platforms, the best line of defense is to make sure the software has not been modified by testing its authenticity.
As the final in a series of posts on key management in the Cloud, following are the remaining three possible strategies that organisations could look to adopt when thinking about how to secure their information in the Cloud.
The Just In Time Strategy is where keys and sensitive materials are stored on premise, only being released into the Cloud for a short time when needed. Quite a few companies are starting to offer such solutions with a large on-premise management system and a small software plugin for the Cloud applications which can fetch and use keys when needed. This is a promising model but it’s early days: watch out for highly proprietary systems, vendor lock-in and the need to modify applications directly to take advantage of the solution. And remember - the keys have still been exposed to the Cloud, no matter how briefly.
Having outlined yesterday the need to take an information-centric approach to key management in the cloud, today I would like to share the first half of a series of six strategies that could help organisations take this approach.
The first strategy I would like to outline is the Trust EveryoneStrategy, where existing applications, keys and management tasks are fork-lifted from the datacentre into the service provider. No special steps are taken to address the control challenges introduced by the Cloud. However, as we all know, no matter what else you outsource you can’t outsource your responsibility, so this strategy is not really an option. I’m all for SLAs bridging the gap between business desires and technical reality but wholesale handover of sensitive operations is probably a bridge too far.
As outlined in my last post, crypto and key management clearly have a lot to offer in terms of the Cloud, but in a bid to get ahead sometimes important details get overlooked. To ensure that cryptography and key management are deployed to best use in the Cloud, we need to take a step back and remember why these solutions exist and why we use them the way we already do. What drove people to choose one approach over another? Why have best practices and standards of due care developed in the way they have? In key management, as in all matters of security we need to return to the why before we can decide on the what and the how.
There is a lot of talk in certain circles at the moment about key management in distributed on-demand computing environments (aka ‘the Cloud’), but much of this seems too deeply product- or technology-oriented.
All this ‘solution-first’ talk approaches the problem in the wrong way. We need to return to our roots, look at why key management has become important and revalidate the use of cryptography to solve Cloud security issues.
There is no doubt that cryptography and key management are vital tools in the Cloud information security battle and companies with long experience in crypto and key management have much to offer this immature space. But we must re-examine the way we employ these tools in this new context and make sure that the technology is solving the problems, not defining them.
