Singing the key management blues

We need cryptographic keys, but who is going to manage them?

How do you make an obscure topic like cryptographic key management interesting? And can you then persuade people to move this security essential – managing the “keys to the kingdom”, in many senses – into the cloud?

Oddly enough, the answers to these questions are kind of opposite yet similar. I was prompted to think about them recently after chatting with Johannes Lintzen, who runs the US arm of Danish security software company Cryptomathic.

Cryptographic keys have a wide range of uses, including digital signatures, secure certificates, data encryption in and between applications, secure messaging, digital rights management (DRM), e-commerce and many more. That range of uses is also growing rapidly, which is bringing more and more people – project managers, programmers, business execs, etc. – into contact with cryptography.

That in turn means specialists like Linzten must now communicate the importance of key management to people who aren’t already crypto-savvy. It’s a major educational task – even before you factor in the cryptocurrency speculators and scammers trying to hijack the term “crypto”!

It’s all a bit too cryptic for many of us

Cryptography is a deeply complex field that combines, or overlaps, mathematics and computer science. That’s off-putting enough for anyone outside those fields, and adding terms such as ‘key’ and ‘management’ only makes it even more so.

It reminded me of a conversation with a cloud storage company, back when businesses still saw putting their data into someone else’s cloud as a bit scary, a bit risky. They came up with a service that let customers encrypt their data and keep their encryption keys to themselves, so the cloud company couldn’t see customer data.

The problem was that while people liked the idea, they thought it looked complicated – too complicated – so they didn’t want to use it.

(As an aside, something similar happened with Microsoft’s “data trustee” arrangement with Deutsche Telekom. This allowed German customers to store their data in a secure subdivision of Azure. Deutsche Telekom managed the encryption keys for this, thereby putting customer data out of reach of the US Cloud Act. Launched in 2015, it lasted just three years before Microsoft said customers found the isolated service too limiting, and that they preferred consistency with the wider Azure infrastructure.)

Centralise, automate and simplify

We clearly can’t do away with the need for cryptographic keys in our modern, hyperconnected, world though, and that means we need to make key management a lot simpler to access and use. Cryptomathic’s solution is to centralise and automate the process, which can also considerably simplify things for an organisation that currently has multiple islands of decentralised and manually-managed key stores.

Others are taking the service approach, including offering cloud-based key management systems. A few years ago, I would have expected potential users to run screaming from the idea of letting anything to do with their keys go off-site, never mind into a public cloud.

Now, I’m not so sure. We know we need cryptographic keys, but most of us also know we don’t want the hassle of managing them. Given how many companies have consolidated and simplified systems they once regarded as their “crown jewels”, and/or moved them into a cloud, key management looks ripe for the same treatment – once you’ve dealt with that education challenge, of course!