listen to this article:
Coupled with the many advantages brought by cloud computing and the growth in digital content, virtualization is critical to any enterprise that is looking to reduce fragmentation and allows IT Managers and CISOs to employ techniques that will ensure policy enablement and the protection of their most sensitive data.
Just like virtualizing IT Infrastructures enable cloud computing, moving away from hardware-based, legacy cryptographic systems by virtualizing cryptography can bypass the systems’ vulnerabilities to ensure organizations stay safe from breaches and successfully pass compliance audits.
Virtualization. What Do We Mean?
Simply stated, virtualization is the separation between physical machines and the software running on them. Classically, software is compiled for a specific operating system and installed on a specific machine.
Virtualization provides software simulation of hardware environments so that “any” software can run in “any” environment. For example, software that is designed for one operating system can be run on a machine running a completely different operating system.
Furthermore, virtual machines are not bound to any specific physical machine and so can be easily replicated and moved, they can be halted and started, snapshots can be taken at any time and the machine rewound to a desired snapshot, and more.
Virtualization can also provide much better economies of scale, since many virtual machines can utilize a single physical machine. The benefits of virtualization are well known, and almost everything is virtualized in enterprises today.
Virtualization is also what has empowered cloud computing, since the cloud economy is based on the ability to share remote resources between multiple customers.
The Current State of Cryptographic Infrastructure
In contrast to the vast majority of IT infrastructure today, cryptographic infrastructure is not virtualized.
Cryptographic keys are stored (for management and protection against theft) in Hardware Security Modules (HSMs), cloud vaults and Key Management Systems (KMSs), and more. The interface to each of these “key stores” are mostly different, and both management and cryptographic key use are tightly bound to the store itself.
This means that an application written for one type of HSM may not work with a cloud KMS or vault, and may not even work with a different HSM from a different vendor.
Furthermore, administrators need to work with different management consoles providing different capabilities for setting security policies, gathering audit logs and more. This means that applications and management functionality is strongly bound to the specific key store (HSM, KMS, vault, etc.) being used. This is analogous to software being bound to a specific machine and specific operating system, and the drawbacks are very much the same.
Applications written for one environment need to be modified (sometimes significantly) for different environments, cryptographic keys in one environment cannot be synchronized or backed up together with keys in another environment, and management operations need to be run separately and repeatedly for each environment (resulting in a time consuming and error-prone process).
In the same way that computing infrastructure is virtualized, it is time to virtualize cryptographic infrastructure as well.
What Constitutes A Virtualized Cryptographic Infrastructure?
A virtualized cryptographic infrastructure is comprised of two main components:
- A virtual HSM: this component provides the same standard cryptographic interfaces for consuming cryptography, irrespective of where the cryptographic key actually resides. This means that applications can use libraries like PKCS11, JCA, CNG, OpenSSL and KMIP, as well as a modern REST API, and the virtual HSM directs the cryptographic request to the appropriate key store where the operation is carried out, completely transparently to the application.
- A virtual management layer: this component provides a single management layer (console and CLI) for every key store. Instead of administrators working with distinct management consoles, administrative tasks can be carried out uniformly across the enterprise, independently of which key stores are being used, and whether the cryptographic keys are in on-prem HSMs, cloud HSMs or cloud KMSs, or any other key store.
A virtual cryptographic layer as above separates the physical cryptographic infrastructure from the functionality it provides. As such, it virtualizes cryptography.
The Benefits of Virtualized Cryptography
The benefits of virtualized cryptography are numerous, and often similar to the benefits of virtualizing general IT infrastructure.
Faster Provisioning of Applications
When using cryptographic virtualization, applications are no longer dependent on or tied to the specific key store being used (in the same way that software is no longer dependent on specific hardware or a specific OS). As a result, an application that consumes cryptography does not need to be changed when the key store is changed, or when it is moved to a different environment (e.g., when moving an on-prem application utilizing a physical HSM to the cloud where it utilizes a cloud KMS). In order for this to work, the virtualization layer also needs to enable clients to authenticate in a unified way for all key stores.
Virtualized management also enables administrators to learn and use just one system, to authenticate using only their enterprise credentials, and to provide unified control over all of their diverse cryptographic systems.
Enforced Company-Wide Policies and Management
With a unified management layer it is possible, for the first time, to set company-wide policies about allowed algorithms and key lengths, when keys need to be rotated, who can use them and when, and more, from a single place. Such a virtualized layer also provides the ability to carry out backup, synchronization and automatic key rotation (where it is supported).
Although already a major step forward, the benefits of virtualized cryptography go far beyond the above.
Simplified Auditing and Greater Visibility
Instead of needing to collate multiple diverse and incompatible audit logs, a unified virtualization layer can provide a single audit log for all operations in all key stores. This provides greater visibility, improving the ability to detect of anomalous behavior, as well as making it much easier to carry out forensics in the case of a security incident.
Cloud Agnostic and Seamless Migration
Today’s cryptographic infrastructure is greatly fragmented, and is becoming more so as organizations adopt hybrid and multi-cloud strategies. Cryptographic virtualization enables organizations to be more agnostic to the specific environment that applications run, and removes barriers to cloud migration.
In summary, by utilizing a single virtualization layer over multiple key stores, organizations can reap the benefits of diversity without paying the price of fragmentation.
Achieving Full Cryptographic Virtualization
Full virtualization includes the ability to scale automatically, to provide built-in high availability and disaster recovery, and supports cloud economy. Such features are incompatible with hardware anchors, and so software key stores are needed to augment existing hardware infrastructure. One of the challenges with such a key store is security. Advanced technology like MPC (secure multiparty technology) enables cryptographic keys to be split and never combined so that high security can be achieved.
The Bottom Line
It is time for cryptographic infrastructure to catch up with general IT infrastructure and to move away from legacy siloed solutions that bind applications to specific key stores and environments. A virtualized cryptography layer that includes both a virtual HSM and a virtualized key management layer enables cryptographic keys to be used and managed in a uniform way, independent of where they physically reside.