December 5, 2012 By Wayne Hanson
Cities and counties are responsible for a great deal of sensitive information, from police officers' home addresses and citizens' credit card and banking information to medical data and more.
In a recent special report on cyber security for cities and counties, Phoenix Chief Information Security Officer Ilene Klein said that while public information can be password protected and posted on the public Internet, the most sensitive information should be encrypted, stored on a file server, and password protected -- giving access to only those people who need to know.
So how does one take those best practices for managing a city or county's most sensitive information into the cloud? In the past, most security products were focused on building a secure perimeter, said Richard Moulds, vice president of strategy for Thales e-Security. But with the cloud, the perimeter disappears, and security must rely heavily on technology like identity management and encryption. In a recent survey of some 4,000 enterprises worldwide commissioned by Thales e-Security, about half of all respondents said their organizations transfer sensitive or confidential data to the cloud environment, and another one-third of respondents said their organizations are very likely to transfer sensitive or confidential data to the cloud within the next two years. However, 39 percent of respondents believe cloud adoption has decreased their companies’ security posture. "You don't own the actual physical server or the anti-virus software," Moulds said . "You don't employ the IT staff. So when you hand over data into the cloud, you're handing over control … and you're relying on them to stand by the security claims that they make." And if there's a breach or loss, the city or county is ultimately responsible. "So encryption is sort of a default get-out-of-jail card," said Moulds, "in the sense that if all those security measures fail, and [someone] grabs your data and runs away with it, you're safe. Encryption is the last line of defense." Moulds also says that the process of encrypting and decrypting -- which was the focus of so much attention in years past -- is now a kind of basic technology. There's nothing special about a key, he said, it's just secret numbers -- a really really long password, as many as 1,000 or 2,000 bits of data.
What defines security now is who has access to the keys. "It's just like the front door lock on your house," said Moulds. "The properties of the lock, how big the bolts are, how strong the metal casing is, how many tumblers you've got in the key barrel -- that's interesting, but at the end of the day, if you've given a copy of the key to the plumber, then you've defeated the object." So key management, distribution, rotation (how often you change your keys) and proliferation (how many people have access to the keys) become the determinant as to what level of security the encryption itself is providing, he said.
Key management, however, is built on a basic conflict. If you want to keep a secret, he said, you tell as few people as possible. So those responsible for security operations want as few keys as possible; those responsible for operational and storage functions, however, want as many keys as possible to allow easy access and use. And extra keys are a safeguard -- if there's only one key and that key is lost, that data is gone for good.
The complexity of key management increases with the size of the system. "Large systems might have petabytes of data scattered across thousands of disk drives," said Moulds, "all of which need a key. So what starts out sounding like 'a key and a padlock problem,' suddenly becomes a big organizational problem. How do I manage thousands of keys?" Keys must be changed regularly, and because the data could have a retention period of 30 or even 100 years, "key management becomes a dominant operational issue that far outweighs the importance of the encryption process itself."
In a cloud computing environment, the encryption can occur in the enterprise or in the cloud. But who controls the keys -- the cloud or the enterprise? "If you are relying on the cloud provider to hold the keys for you, then you've not really solved much of a security problem," said Moulds, "because you don't know who they employ or what policies they have."The alternative is for the government to encrypt the data itself before it is put into the cloud and then holds the keys itself. So the data is encrypted when it leaves the organization, and is decrypted when it returns to the organization. While that appears to be very secure, there is a downside -- the cloud provider only sees encrypted data. "If you are looking for an archival service, that would be OK," he said. "But if you are expecting that cloud provider to do version control or searching, or any sort of analytics on that data, then those services become impossible, because they only have access to encrypted data. You can't search encrypted data, you can't filter encrypted data. So you can only use the cloud for mundane services like basic storage."
Hybrid Key Management
So is there a solution to cloud key management? Moulds says the market seems to be heading toward a hybrid model where the encryption happens in the cloud but the keys are controlled by the enterprise. So the enterprise, the government agency, will temporarily release the keys on a need-to-know basis to the cloud provider or service to selectively decrypt the data as necessary.
"It's more complicated and relies on coordination," he said, "but I think that is the way the model will evolve. You can imagine a scenario where a government agency has outsourced practically all of its IT to a cloud provider and all it has left are the keys. That's the only thing that bestows any control. So key usage happens in the cloud. Key management happens in the enterprise."
That model requires a standard way to share keys between the enterprise and the cloud, which will also enable the enterprise some flexibility to move from one cloud provider to another. "When you think about clouds, the whole thing is about virtualization and elasticity," said Moulds. "You can buy computing power or storage, but when you scale your needs back or switch services, you still have petabytes of data hanging around in the cloud somewhere. How do you get it out? If the data is encrypted, you withdraw the key and that data's gone. You can think about key management as a 'data destruction vehicle' as much as a 'data protection vehicle.'"
According to Moulds, the solution may well be a new standard for key management called the Key Management Interoperability Protocol (KMIP) -- an OASIS standard that he thinks will enable the hybrid trust model to develop.
"Encryption is just the process of locking and unlocking your front door," said Moulds. "It feels like that is the big issue, but the big issue is how secure is your lock when you're not there and how secure is the key in your pocket 24 hours a day?"
This Digital Communities white paper highlights discussions with IT officials in four counties that have adopted shared services models. Our aim was to learn about the obstacles these governments have faced when it comes to shared services and what it takes to overcome those roadblocks. We also spoke with several members of the IT industry who have thought long and hard about these issues. The paper offers some best practices for shared government-to-government services, but also points out challenges that government and industry still must overcome before this model gains widespread adoption.