An updated version of this article is available under this link.
This second decade since the Millennium is seeing a major uplift in the use of cryptography in existing and new business systems. This uplift is likely to be disproportionately greater than the actual increase in business transaction volumes.
In many instances it is the combined impact of compliance, regulatory and governments (e.g. the ICO -Information Commissioner's Office - in the UK) and perhaps most importantly organisations' customers are demanding that personal and corporate data are protected. Otherwise they move to a supplier who does. Increasingly, the use of encryption techniques is seen as an important part of the solution to the demand for providing secure access to existing business and customer data; via an ever widening range of distribution channels and device form factors.
The simplest development project (if there is such a thing) to deal with, in a project management sense, is the single platform, green field, internal to the organisation project, which is known, or thought, to have few if any new technical challenges. But realistically how many projects fit that category these days?
More likely is the need to introduce additional data protection to an existing business system using encryption. Within that operational system there are almost certainly clearly defined operational characteristics which might state that:
1) You can't fundamentally change the existing systems design and
2) You need to still hit the existing Service Level Agreements and processing windows.
This is much more the real world. The potential complexity of project workflows using cryptography can be illustrated as in figure 1.
Figure 1: Cryptography Development Project Workflows
The workflow is likely to have more iterations than indicated in figure 1, and one cannot guarantee to solve every real world project situation like the example above, with its two clearly defined operational characteristics - it may be practically impossible to meet these characteristics within the existing system design of the IT application.
The use of cryptography often becomes, or is perceived as, responsible for holding up entire projects. Responding to these development challenges requires organisations to consider moving away from the project by project model and embrace a proactive and sustainable approach to managing cryptography.
Cryptomathic's Crypto Service Gateway (CSG) is the world's first solution for delivering an integrated cryptographic service model, ideally suited to supporting the use of "application level cryptography". This model can improve workflows and allows an organisation to design and develop its latest business systems, providing, as necessary, End to End (E2E) protection and security of essential data. The organisation can choose to protect as much or as little business data - within transaction flows or as data at rest - as is considered necessary in a disciplined and controlled manner.
An in-house crypto service model is much easier to use for project managers and developers than the conventional HSM development techniques of the last decade, and can provide a range of advantages, including:
As deploying cryptographic solutions using CSG becomes your organisation's norm; this leads to a "natural reduction" in single points of failure dependencies within the live system support and enhancement teams. Less reliance on the specialist Fred's of this world!
Further time and cost saving opportunities are discussed in