• United States

Universal key management for the cloud

Jun 28, 20126 mins
Cloud ComputingData CenterEncryption

Data protection processes like encryption and tokenization tend to create a lot of objects like keys and tokens that require their own level of security and protection. As companies migrate to cloud computing, they may suffer from “key sprawl”: having numerous key management solutions and token vaults to administer. Now there’s a new universal key management solution on the market that is purpose-built to secure keys, tokens, certificates, passwords, etc. all in one secure system.

As you move your data and applications into the cloud, you need to protect them using techniques like encryption and tokenization. Depending on how you implement these data obfuscation techniques, you could end up with hundreds or thousands of encryption keys, tokens, security certificates and other operational objects which need security and protection of their own. In short, you need a vault where you can store and manage the encryption keys and other materials and apply policies on who can access them, and when.

When you apply encryption to data that is going into the cloud for storage or processing, your encryption solution will likely have its own key management system to resolve the vault issue. But what if you are using multiple SaaS-based applications, each with its own encryption solution, or you have data spread across multiple clouds? It’s conceivable you could end up with a dozen or more key management systems to store and control all your security objects. As time goes by, it becomes a costly and time consuming process to juggle all these disparate vaults.

IN DEPTH: Managing the private encryption keys to the kingdom

Cloud tools vendor Gazzang Inc. recently announced zTrustee, a new universal key management solution to address the issue of “key sprawl.” zTrustee builds on Gazzang’s experience with managing encryption keys in the Gazzang zNcrypt Key Storage System. zTrustee has an open architecture so that it can manage any “opaque object” — a piece of IT DNA that’s needed to run a system or process, such as a key or password – for any client located in the cloud or on your premises.

The zTrustee solution consists of three components:

• The zTrustee server that stores and manages your opaque objects and the policies that control them;

• The zTrustee client which deposits the opaque objects from your applications to the zTrustee server and retrieves them back again from the server to your application; and

• The zTrustee application that allows assigned trustees to allow or deny access to a requested key or other stored object.

At product launch, the zTrustee server is a SaaS solution hosted in Gazzang’s cloud environment. The product roadmap calls for the server to evolve from multi-tenant to single-tenant and then to a private server that you can host in your own data center if you have such a need. The server is built for high availability, strong security and fast performance.

The client can be a process, Web application server, laptop, cryptographic utility or mobile device. The client “registers” with the zTrustee server by exchanging encryption keys and setting up a secure communications channel and then “activates” to setup the usage license with Gazzang. Once a client registers and activates, it can “put” and “get” secure items on/from the server. All “deposits” or secured items that are placed on the server have policies assigned to them that determine, for example, who is authorized to retrieve the deposit, which trustee must be notified to approve retrieval, how long an object can live on the server, and so on.

The zTrustee application is currently available on Linux and will soon be available for iOS, Android, Windows and Mac OS. The application enables a trustee, which can be either a person or an automated service, to authorize or deny data release upon request. For example, an IT manager might be designated as a trustee for an action whereby the password for a web application server is retrieved from the zTrustee server. When the web app server is rebooted and the admin needs to provide the stored password, zTrustee will email the trustee to ask him to authorize the action of giving out the password to the admin. The trustee doesn’t need to know the password himself, but he can control its retrieval by the admin. It’s possible to designate multiple trustees to authorize an action, so if one person is unavailable, another can complete the task.

This solution isn’t made to store your data files, but rather the keys or other attributes that protect your data files. This includes encryption keys, tokens (if you tokenize your data), passphrases and passcodes, SSL certificates, configuration files, access control files and the like. By bringing them all into one secure server, you can create one common set of policies to govern the use of all the stored objects. The aspect of designating one or more trustees adds another layer of multi-factor security.

With zTrustee, keys, certificates, tokens and other important pieces of IT DNA are controlled and managed by the organization that owns the data, not by a cloud or SaaS provider. The cloud or hosting provider can’t see them, nor can Gazzang. (This is where the nickname “opaque object” comes from.) In fact, your database administrator or root user never even sees the encrypted objects. Only the client that put the object in the secure server can see it. This adds yet another layer of protection, and it’s a feature that organizations that store sensitive data in the cloud can really appreciate. It also directly addresses the question of who owns and has access to company and customer data in the cloud.

Consolidating all your encryption key storage facilities into zTrustee creates cost and operational efficiencies: just one product to license, learn and administer. It also helps to meet external and internal compliance requirements of ensuring that unauthorized people and processes — including the cloud providers — don’t have access to your encryption keys.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.


Linda Musthaler is a principal analyst with Essential Solutions Corp., which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

More from this author