To secure the cloud, keep all your keys in one place

Cloud services may be more secure than the average data center, but managing access -- including handling encryption keys -- raises new risks. Larry Warnock of Gazzang offers one answer

Maintaining data security in an increasingly cloud-based world presents a host of new IT challenges. No longer is your data necessarily stored on-premise or even on systems you own. The cloud opens organizations to new possibilities -- and dangers.

In this week's New Tech Forum, Larry Warnock, CEO of cloud security firm Gazzang, details how we can deal with the data security issues presented by cloud computing through the use of universal key management. -- Paul Venezia

Safeguarding data in the cloud with universal key management

Cloud computing, big data, and the hybridization of IT environments represent real, seismic shifts in the way organizations leverage technology to provide better customer service, more effectively solve problems, and gain a competitive advantage. But as adoption of these technologies grows, so too does the amount of sensitive data and variety of information objects that require tight management and security.

As companies put more of their IT infrastructures, critical applications, and valuable company data into the cloud, they should be using security measures, such as encryption, tokenization, authorization, and access controls to protect these valuable business assets.

These security procedures create an abundance of encryption keys, tokens, certificates, passphrases, and configuration files. What's more, the burgeoning use of big data, by which data can be spread across hundreds of servers, magnifies the creation of these operational objects. An organization literally can have tens or hundreds of thousands of security artifacts to store and manage, and the irony is that even the most security-minded companies don't know where all these objects are.

Increasingly, organizations are using multiple utilities and management systems spread across clouds to protect these objects. This practice creates operational inefficiencies, unnecessary expense, and security risks.

For example, a majority of enterprise companies today encrypts data. The companies secure data in transit, in the application, and at rest. That's certainly better than the alternative of leaving sensitive data in plain text for anyone to see and steal. But encryption is only half the equation. Many of the same "security-aware" companies that encrypt do not properly manage their keys, often storing a key unencrypted in a config file or a spreadsheet. A malicious hacker can discover an unsecure key string in less time than it takes to read this sentence. Encrypting data and not using a key manager is like locking your car and leaving the keys in the door.

Traditional key-management appliances, such as HSMs (hardware security modules), weren't designed to work in and across cloud environments. Instead, HSMs were built for enterprise data centers wherein a single organization owned and operated all the computing assets. The rapid ascent of public and hybrid cloud computing has made hardware-based key and certificate managers more niche security items than must-haves.

Using a software-based key-management system that is purpose-built for the cloud, an organization can store all its keys, tokens, certificates, and passphrases in a virtual "master vault" that is universally managed by the company's policies, controls, and business logic.

We'll get into how policy-based key management works below using Gazzang zTrustee as an example, but let's start with some definitions:

1 2 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies