Managing encryption keys, aka digital certificates, is shaping up as one of the toughest security-related challenges that enterprise IT faces right now, according to an Aetna Group official.
I've had to attend far too many tradeshows in my life, and until this week, I thought I'd seen it all. But the RSA 2012 security conference in San Francisco this week was an eye-opener.
If nothing else, the show was larger and more crowded and busy than any of the cloud computing expos I've attended in recent months. That may well reflect enterprise IT's current priorities. Security is a serious, even escalating problem that calls for serious technology and spending, while the cloud is still in the exploratory, experimental stage.
On the other hand, I've never been to a tradeshow where beer, wine, and even martinis flowed on the expo floor itself. (That may be because I've yet to visit Germany's famed Hannover Fair, with its three-story booths housing bars, restaurants, and more.) At 5:00 p.m., exhibitor after RSA exhibitor opened its own bar. Is IT security perhaps so difficult a challenge, I wondered, that its practitioners must seek refuge in drink? (Just for the record, I didn't see anyone at the National Security Agency's sizable booth -- a surprise in itself -- with even a Bud Light in hand.)
In any case, enterprises certainly are struggling with security, especially as it relates to the cloud. Take Aetna, for instance. Tim Tompkins, the insurance company's manager of information security analytics, described a level of "encryption chaos" that has engulfed corporations like his own. Especially in regulated industries like health insurance, he said, a company may end up relying on products from a wide variety of vendors, each with a "siloed strategy" of its own. "There's very little integration" among these products, and the resulting complexity and inconsistencies end up creating their own security issues.
One particular concern is managing the hundreds (or even thousands) of digital certificates and encryption keys that proliferate across a large enterprise. "Key management is the hardest part of the solution," Tompkins said. Encryption itself is essentially a technical problem, but key management involves people and processes. Quoting the security guru Bruce Schneier, Tompkins called key management IT security's "Achilles heel."
And it's about to get even hairier with public cloud-based services, the Aetna manager said. A customer that orders just infrastructure will have to engineer its own key management structure. Integration into PaaS is more difficult, Tompkins said, because there's a richer software stack to address. And with SaaS, "you're at the mercy of the vendor."
A key attribute of cloud computing may be its elasticity, he said, but how do you get keys on demand? The Oasis open-standards group has put forth a key management interoperability protocol (KMIP), but Tompkins said it's not getting adopted fast enough for his taste.
In a world where "everything has a [digital] certificate," key management is turning into a major challenge. Too many products still require manual renewal of certificates. "Try that with 10,000 VoIP phones."
Tompkins described how Aetna has rationalized its key management processes, thoroughly re-engineering what was a heavily manual process and adding large doses of automation. As a result of this work, only 10 percent of certificates now require manual intervention, versus more than 50 percent before. In addition, Aetna is ready to handle tens of thousands of certificates in the future, up from around 2,600 today.
Has the new key management system unleashed much new use of cloud-based services within Aetna? Not yet, Tompkins said, but that's mainly because Aetna, as part of the healthcare industry, is tightly bound by regulatory compliance issues. In the meantime, the security team has its hands full with more than enough earthbound problems to solve.
Where are your keys, and how do you manage them?