Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

PKI Still Matters, Especially in the Cloud

Home
Industry Insights
PKI Still Matters, Especially in the Cloud

Blog Article Published: 07/15/2011

By: Merritt Maxim

Director of IAM Product Marketing

CA Technologies Inc.

Infosec veterans probably remember (with a smirk) how Public Key Infrastructure (PKI) was heralded as the next “big thing” in information security at the dawn of the 21st century. While PKI failed to reach the broad adoption the hype suggested, certain PKI capabilities such as key management are still important. The Diffie-Hellman key exchange protocol which solved the serious technical challenge of how to exchange private keys over an insecure channel basically created PKI.

I had not thought about key management until a recent visit to my local car dealer for an oil change. While waiting, I noticed several dealer employees struggling with a large wall-mounted metal box. This box is the dealer’s central repository for all car keys on the dealer’s lot. The box is accessed via a numeric keypad which appeared to be a sensible approach since the keypad logs all access attempts for auditing and tracking purposes.

However, on this particular day, the numeric codes would not open the box, leaving the keys inaccessible and employees quite frustrated. I left before seeing how the problem was resolved, but this incident reminded me of key management and how this technology is still crucial for data management especially with rise of cloud computing.

Key management often goes unnoticed for extended periods of time and only surfaces when a problem appears, as was the case at the dealer. When problems appear, key management is either the solution or the culprit. In the latter case, key management is generally the culprit because of an improper implementation. Poor key management can create several significant problems such as:

  • Complete Compromise-A poor key management system, if broken, could mean that all keys are compromised and all encrypted data is thus at risk (see my postscript for a great example). And fixing a broken key management system can be complex and costly.
  • Inaccessibility-As I witnessed at the dealer, a poorly implemented key management may prevent any or some access to encrypted data. That may seem good from a security standpoint, but the security must be weighed against the inconvenience and productivity loss created from being unable to access data.

With the continued stream of data breaches that appear in daily headlines, a common refrain is that data encryption is the solution to preventing data breaches. While data encryption is certainly a good security best practice and important first step, especially for sensitive data or PII, effective key management must accompany any data encryption effort to ensure a comprehensive implementation.

Here’s why.

Just throwing encryption at a problem especially after a breach is not a panacea-it must be deployed within the context of a broader key management system. NIST Special Publication 800-57, “Recommendation for Key Management-Part 1-General” published in March 2007 stated,

“The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are analogous to the combination of a safe. If the combination becomes known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with keys, and the protection afforded the keys. “

Even though this NIST publication is more than four years old, this statement is still relevant.

A centralized key management solution should deal with the three ‘R’s-Renewal, Revocation and Recovery. Key management is necessary to solve problems such as:

  • Volume of keys-In a peer to peer model, using freeware like PGP may work, but when you are an organization with thousands of users, you need centralized key management. Just like organizations need to revoke privileges and entitlements when a user leaves the organization, you need to do the same with cryptographic keys. This can only be achieved via central key management and would crumble in a peer to peer model.
  • Archiving and Data Recovery. Data retention policies vary by regulation and policy, but anywhere from three to 10 years is common. If archived data is encrypted (generally a good practice), key management is necessary to ensure that the data can be recovered and decrypted in the future if needed as part of an investigation. The growth on cloud-based storage makes this problem particularly acute.

Organizations that encrypt data without a centralized comprehensive key management system are still at risk of a breach because the lack of a centralized system can cause inconsistencies and error-prone manual processes. Further, today’s sophisticated hackers are more likely to attack a poorly implemented key management system rather than attack an encrypted file, much like the German Army flanked France’s Maginot Line in 1940 to avoid dealing with the line’s formidable defenses. This is why an important aspect of key management is ensuring appropriate checks and balances on the administrators of these systems as well as ongoing auditing of the key management processes and systems to detect any potential design errors, or worse, malicious activity by authorized users.

Key management is not going away. As cloud computing adoption grows, key management is going to become even more crucial especially around data storage in the cloud. We have already seen some examples with online storage providers that show how key management is already an issue in the cloud. Cloud computing and encryption are great concepts, but organizations must accompany these with a sound key management strategy. Otherwise, the overall effectiveness of such systems will be reduced.

PS-a great example of what happens with an ineffective key management implementation is convicted spy John Walker who managed cryptographic keys for US Naval communications but copied the keys and gave them to the USSR for cash. Walker compromised a significant volume of US Navy encrypted traffic but because there was no significant auditing of his duties, his spying went undetected for years. There are several books on the Walker case, but I recommend Peter Earley’s “Family of Spies”

Merritt Maxim is director of IAM product marketing and strategy at CA Technologies. He has 15+ years of product management and product marketing experience in Identity and Access Management (IAM) and the co-author of “Wireless Security.” Merritt blogs and is an active tweeter on a range of IAM, security & privacy topics. Merritt received his BA cum laude from Colgate University and his MBA from the MIT Sloan School of Management.

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Enhance your cloud security skills with CSA's online training options.