Cloud is a key-management pain: NIST

Too many services, too little oversight

Wed 2 Oct 2013 // 02:34 UTC

The ISA's National Institute of Standards and Technology (NIST) – recently accused of collaborating with the NSA to weaken security standards – has put together a paper highlighting the key-management challenge posed by cloud computing platforms.

As readers will know, key multiplication (and therefore management) can be headache-making even in in-house IT environments. Just one service, SSH, was criticised by its creator earlier this year for spreading 1unwanted keys far and wide.

The paper, Cryptographic Key Management Issues & Challenges in Cloud Services, would be available at http://www.nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7956.pdf if it were not for the fact NIST's site has been DOSed by the US government shut down. The Reg has popped it into Dropbox here as a PDF. (See - we don't need no lousy government, do we?)

As the paper, authored by Ramaswamy Chandramouli, Michaela Iorga and Santosh Chokhani, states, crypto key management – already a challenge for anybody with a large IT infrastructure – starts to look a little nightmarish when you start spreading your systems far and wide into cloud environments you don't control.

Key management, they write, “becomes more complex in the case of a cloud environment, where the physical and logical control of resources (both computing and networking) is split” between different locations, different applications, and different virtual machines.

“Furthermore, the pattern of distribution varies with the type of service offering - Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS),” they note.

Key management has to be able to cover securing the interactions with the cloud environment, as well as securing the data the cloud service creates. Moreover, “in many instances, the KMS required for managing the cryptographic keys needed to protect that data have to be run on the computing resources provided by the cloud Provider.”

The paper offers a variety of architectural templates for key management, depending on the deployment scenario under consideration. ®

Topics

Special Features

Vendor Voice

Resources

SaaS

Cloud is a key-management pain: NIST

Too many services, too little oversight

More about

More about

Broader topics

More about

More about

More about

Broader topics

TIP US OFF

Other stories you might like

As NSA buys up Americans' browser records, Uncle Sam is asked to simply knock it off

No new top boss at NSA until it answers questions about buying up location, browsing data

Ex-GCHQ software dev jailed for stabbing NSA staffer

Protecting distributed branch office environments from ransomware

Ex-NSA techie pleads guilty to selling state secrets to Russia

NSA hopes AI Security Center will help US outsmart, outwit, and outlast adversaries

CISA reveals 'Admin123' as top security threat in cyber sloppiness chart

Feds' privacy panel backs renewing Feds' S. 702 spying powers — but with limits

To kill BlackLotus malware, patching is a good start, but...

10 years after Snowden's first leak, what have we learned?

Millions of people's data stolen because web devs forget to check access perms

Supreme Court not interested in hearing about NSA's super-snoop schemes

About Us

Our Websites

Your Privacy