Skip Links

Universal key management for the cloud

IT Best Practices Alert By Linda Musthaler, Network World
June 28, 2012 03:50 PM ET
Linda Musthaler
Sign up for this newsletter now!

The CIO-level business angle on the latest tech

As you move your data and applications into the cloud, you need to protect them using techniques like encryption and tokenization. Depending on how you implement these data obfuscation techniques, you could end up with hundreds or thousands of encryption keys, tokens, security certificates and other operational objects which need security and protection of their own. In short, you need a vault where you can store and manage the encryption keys and other materials and apply policies on who can access them, and when.

When you apply encryption to data that is going into the cloud for storage or processing, your encryption solution will likely have its own key management system to resolve the vault issue. But what if you are using multiple SaaS-based applications, each with its own encryption solution, or you have data spread across multiple clouds? It's conceivable you could end up with a dozen or more key management systems to store and control all your security objects. As time goes by, it becomes a costly and time consuming process to juggle all these disparate vaults.

IN DEPTH: Managing the private encryption keys to the kingdom

Cloud tools vendor Gazzang Inc. recently announced zTrustee, a new universal key management solution to address the issue of "key sprawl." zTrustee builds on Gazzang's experience with managing encryption keys in the Gazzang zNcrypt Key Storage System. zTrustee has an open architecture so that it can manage any "opaque object" -- a piece of IT DNA that's needed to run a system or process, such as a key or password - for any client located in the cloud or on your premises.

The zTrustee solution consists of three components:

• The zTrustee server that stores and manages your opaque objects and the policies that control them;

• The zTrustee client which deposits the opaque objects from your applications to the zTrustee server and retrieves them back again from the server to your application; and

• The zTrustee application that allows assigned trustees to allow or deny access to a requested key or other stored object.

At product launch, the zTrustee server is a SaaS solution hosted in Gazzang's cloud environment. The product roadmap calls for the server to evolve from multi-tenant to single-tenant and then to a private server that you can host in your own data center if you have such a need. The server is built for high availability, strong security and fast performance.

The client can be a process, Web application server, laptop, cryptographic utility or mobile device. The client "registers" with the zTrustee server by exchanging encryption keys and setting up a secure communications channel and then "activates" to setup the usage license with Gazzang. Once a client registers and activates, it can "put" and "get" secure items on/from the server. All "deposits" or secured items that are placed on the server have policies assigned to them that determine, for example, who is authorized to retrieve the deposit, which trustee must be notified to approve retrieval, how long an object can live on the server, and so on.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News