EKMI is dead, long live EKMI. It was more than two years ago that I reached a proud milestone as a member of the open-source key management group for Oasis EKMI (Enterprise Key Management Infrastructure) — we released the SKSML (Symmetric Key Services Markup Language) in January 2009.

It was a culmination of projects I had been working on for years with StrongAuth to provide an easy and inexpensive encryption solution for the Payment Card Industry (PCI). SKSML did not get a warm welcome from some big name vendors but it did generate some industry attention.

Encryption represents a final level of protection. Even if data is lost or stolen, it’s of no value to the holder without the decryption key. EKMI is a valuable component in the operational and management aspects of encryption, and organizations with complex encryption requirements ought to start putting pressure on their application and security vendors to support the initiative.

The SKSML protocol had been available since 2006. Yet just a couple months after the OASIS specification was final and public we watched vendors step forward to form a separate and competing committee at OASIS: the KMIP (Key Management Interoperability Protocol).

It was weird to see a competitive standard formed from within OASIS instead of from a competing organization (e.g. the IEEE P1619.3 or DSKPP from KEYPROV/IETF) as illustrated by ISACA in 2009.

On the other hand we were pushing an open-standard that emphasized ease of deployment and configuration. These concepts may have challenged the philosophy of some vendors to the point where they felt compelled to try and reboot the OASIS committee. The chair of EKMI stepped-down rather than fight on all fronts.

Our goal was to push forward an enterprise key management protocol into the industry. To that end it was a success, even if our open and easy philosophy to key management was not adopted.

Today I was asked if I have heard of KMIP and asked whether it is a good idea. Not only do I think it is a great idea to have key management, I think we’re long overdue for a practical implementation in a multi-tenant environment (whitepaper forthcoming).

Cloud providers I’m working with need a solution that allows them to provide self-managed encryption to their customers. EKMI was definitely up to the job. In 2009 single-tenant storage encryption was said by some to be the real game in town, which EKMI saw as a subset of enterprise encryption (end-to-end and file-level encryption was also offered) rather than the entire focus. KMIP is an option and it seems now to be getting some attention but its more closed approach as well as limitations with multi-tenancy may resurrect interest in the original aims of EKMI.

The Ottawa Citizen has an interesting review of currency changes to outsmart counterfeiters. It touches on how security researchers use everything from chemsitry to social science to develop controls.

Counterfeits in Canada peaked in 2004, when an estimated 470 out of every million bills were forgeries. The introduction of watermarks and holograms to the “Journey” series of bills that were issued from 2001 to 2004 saw that number plummet. It now sits at only 35 fraudulent bills per million.

In efforts to keep that number low, Firth works with everyone from banknote suppliers and printers to the RCMP and university professors, the latter helping determine the psychology of how people use money, which in turn can help the bank make spotting counterfeits more intuitive for the public. Security features that are fussy, difficult to use or require special equipment, she says, simply aren’t as effective.

Here are instructions from the bank for checking the new notes

Each time the technology is defeated, it has to be circulated out of use and replaced with the next evolution. Canadian bills now will be migrated from cotton-based paper to a polymer. With that in mind, the new bills are expected to be in circulation for more than twice as long.

Each of the 840 million $20-bills “the most popular denomination” now in circulation are expected to last three years. The polymer $20s will last seven and a half.

Either they have far more trust in the new technology, or they don’t mind removing bills from circulation before they expire…or counterfeiting is not the only motivation to move away from paper.

The CEO & co-founder of CloudFlare, a self-described “recovering lawyer”, explains his company’s position on LulzSec:

Two broad points that I’ve drawn from the experience of watching this unfold over the last three weeks. First, CloudFlare is firm in our belief that our role is not that of Internet censor. There are tens of thousands of websites currently using CloudFlare’s network. Some of them contain information I find troubling. Such is the nature of a free and open network and, as an organization that aims to make the whole Internet faster and safer, such inherently will be our ongoing struggle. While we will respect the laws of the jurisdictions in which we operate, we do not believe it is our decision to determine what content may and may not be published. That is a slippery slope down which we will not tread.

Second, the experience of being attacked by some of the Internet’s most notorious hackers has validated CloudFlare’s core value proposition: if you can share data about attacks across a network, rather than keeping it siloed within each organization, everyone using that network can benefit. As hackers tried to take down LulzSec, CloudFlare recorded all the patterns of the attacks. In the last 3 weeks, we’ve generated more than 1 million new rules to better mitigate threats targeted at our users. Those rules were propagated in realtime to benefit the whole CloudFlare community.

In other words they don’t censor without being forced by law to censor (standard provider legal response) and they don’t mind the cost of developing millions of rules just for the Lulz.

Cloud providers like to boast about the safety and security of co-tenancy. Of course they would, it’s their business model, right? Virtustream (not to be confused with Virustream) says you will have “7x24x365 peace of mind” despite being in a shared space.

We draw from an extensive body of best practices to keep your cloud environment secure

That old “best practices” line is dangerous. No auditor worth his/her weight in RAM would ever be satisfied to hear those two words. Best for whom? Documented where? It means nothing on its own. Perhaps they could get away with stating that they are aligning with one or two or even a few best practices but “an extensive body” of cloud security practices? Show me this body. Where are they hiding it? A link, a contact, anything will do…

The following is one of the only clues they give their reader. Shared space is too dangerous to use:

Virtustream owns and maintains its own data centers, eliminating any concerns regarding others gaining physical access to the cloud platform you’re running on. The result: 7x24x365 peace of mind.

I find that an ironic marketing claim given their other statements about shared space.

In the physical world, where there is a huge body of knowledge approaching best practices for data centers, they do not want to share or use a co-tenancy model. Yet, in the logical world where there is still a lot of debate about what to do and how to do it…they stuff you in with everyone else.

Does the irony eliminate your concerns?

I wonder if they really believe that their datacenter is more secure than co-tenant datacenters. Let’s turn things around for a minute: a co-tenant datacenter has numerous clients frequently sending in different auditors. In theory a customer could actually end up with a higher level of security than in a single-tenant datacenter that gets only a single audit on an infrequent basis. The cloud advocate could argue that increasing the number of tenants increases the bar for security because the number of security assessments goes up, which forces a higher baseline.

This is not just speculation. I often find datacenters upgrading security controls because a new tenant has moved in that demands a higher-level of security than my clients would need. Armed guards, for example, are not a requirement for PCI but if someone from the DoD wants a rack…

If I give Virtuscan the benefit of the doubt, they probably meant to say that they can maintain a far higher level of security in a logical environment because the operational impact to them is lower than if they try to reach the same level of safety in a physical domain (e.g. they can handle segmentation with virtual systems at a nominal cost compared to the cages and cameras and doors required for physical security).

But right now their page says to me that cloud providers will come right out and admit they are spooked about shared space so they don’t use it, but they want you to feel comfortable because of “best practices” for shared space.