An updated version of this article is available under this link.
To date the deployment of encryption services and the techniques used to achieve interoperability and technical standards have always lagged behind what businesses have actually needed, or for that matter, what regulators or certain schemes are enforcing.
The Enlightenment Opportunities Using Crypto Service Gateway
Businesses often view the inclusion of using cryptographic techniques at the outset of a project as a necessary project evil. More often than not they will include 'tactical solutions', as the 'production strength' solution will perhaps cost the project 30% more, but more importantly, add an extra 5 weeks to the project's duration. Guess which approach is invariably chosen using current services and techniques.The tactical solution is developed, the businesses new offering is successful - let's optimistically say a take up of 500% more than first forecast. What is the likely appetite for going back and putting in the 'Production Strength' solution, when "we must have these functional enhancements"? In contrast, using an integrated service model can, almost always, allow an organisation to design it right from the outset.
A very old cliché in IT is that you could guess how long a designer/project manager had worked in IT dependent on the amount of spare data space he/she provided in files to allow for future development. The same can be said in forecasting and provisioning for what the maximum RSA key size has to be catered for in a new application.
Having a clear vision of how your organisation can harness an enabler, such as the Crypto Service Gateway (CSG), is absolutely fundamental. This vision can be modest or aggressive and could have one, several or all of the following characteristics:
- Internal and external compliance
- The central policy enforcement, that enables straightforward crypto integration development, uses a fine-grained but straight forward policy language, which allows administrators to control exactly what keys and commands different users of the system have access to. The policy language is simple enough to show to auditors and business architects who do not have programming experience.
- CSG has extensive usage and audit logging, digitally signed for non-repudiation, which together with the policy language allows projects to easily demonstrate both theoretical and actual compliance with regulations.
- Proactive Monitoring of existing HSM estates
- Maintenance and measurement of overall systems SLA's for IT services that use cryptography where the cryptographic capabilities cannot, and must not, be seen to be a system weak point or performance 'chokepoint'.
- Allowing better HSM utilisation to be achieved consistently and resiliently.
- HSM vendor independence
- Many organisations have policies that stipulate that they wish to be able to have dual or multiple sources of equipment supply, should that prove necessary.
- In recent years the HSM marketplace has been consolidating.
- Currently substituting different manufacturer's HSM's equipment is not straightforward. Yes it can be done, but there are invariably more compelling business focussed activities to action your development and support personnel to undertake.
- The use of CSG can assist an organisation in controlling its level of vendor dependency.
- Use of CSG can ensure that an organisation can use, when necessary, the latest and most technically and commercially effective HSM equipment. This can be achieved far more readily than hitherto for new and existing systems.
- Proactive Cryptographic Life Cycle management
- Proactive changes to the cryptographic functionality within a business system have always been highly desirable but rarely achievable. Such changes having invariably been undertaken on a special project basis. Using CSG it is now possible to ensure that such events can be accommodated for without undue impacts to the underlying business systems. Certain seamless changes of cryptographic algorithm choice in a system are now achievable options. In the event of the unexpected need to cease using a cryptographic technique, in response to publication of successful attacks, having CSG available to assist in the resolution could prove vital. (as regards timeliness, saving significant actual costs, lost opportunity costs + less impact on live systems operation).
- CSG can be readily integrated with other cryptographic products to achieve seamless and transparent key changes. Historically this has rarely been undertaken but has recently become an essential capability that has to be exploited.
- The ability to manage HSM firmware upgrades and incremental HSM deployments centrally also contains cost to the organisation in both production and development environments.
In adopting CSG it is possible to incorporate stronger cryptographic controls via HSM's and CSG into projects that would never have been financially justified and approved if that project had to bear all the initial HSM costs within the project. This could reduce the need and likelihood of enhancements aimed at maintaining or improving controls.
Reiterating previous statements, none of the bullet points should be looked at in isolation; it's their l interaction within your enterprise that is the crucial factor.
What this third article has hopefully demonstrated is numerous practical ways in which you can set out to manage your organisations cryptography cost-effectively and provide a strong business case for the adoption of CSG.
Cryptomathic can assist an organisation in determining how and in which areas you can benefit from deploying CSG. Any such evaluation exercise is likely to prove illuminating and potentially unpalatable for an organisation, but whether or not CSG provides part of your subsequent solution that analysis has to be undertaken - to manage your business.
These articles have set out how managing the use of cryptography in an organisation has become a much bigger subject area in recent years. The subject has largely evolved, with no apparent overall business and technical philosophy available to manage its usage.
Who needs the ability to manage the use of cryptography? The answer is simple, you do, your organisation; using the old maxim "You can't manage what you don't understand"
What form must this management take? Here are some thoughts:
- contain the actual overall cost and technical complexity of ownership of cryptographic equipment to an organisation
- allow an organisation to select the best and often latest equipment from the marketplace
- provide tools and techniques to initiate the rapid and proactive introduction of cryptographic functionality in existing and new business systems within an organisation.
Cryptomathic CSG is the only comprehensive offering to allow your organisation to achieve these objectives.
References and further reading
- Selected articles on HSMs (2013-17), by Ashiq JA, Peter Landrock, Peter Smirnoff, Steva Marshall, Torben Pedersen and more