Imagine a number of educated fellows having a very calm conversation about identity and access management, are carried out.and security in a living room full of beautiful ceramic vases and several precious pieces of modern art. Now, imagine having the same type of conversation with a gigantic elephant in the middle of the room, terrified that it is stuck inside a small space and ready to ravage it at any second. This second scenario describes exactly how most conversations about security, particularly
Ladies and gentlemen, there is an elephant in this room and no one is addressing it. Just when someone reassures you that everything is safe, the truth is that your security was flawed the moment you stored your credentials on a website. Today, we address this elephant.
Identifying The Problem
The “elephant in the room” is the pervasive practice of keeping encryption keys server-side that most cloud providers employ. Instead of giving you absolute control over your data, they remain with a piece of it. In identity management, this is a dangerous predicament, since the provider is storing your credentials — your identity — on its own premises. If it were to be compromised, and the key that encrypts this data were somehow discovered, this would mean that every account you have is now in the mercy of a nefarious entity.
When you lose control of your key, you effectively give away your identity in exchange for the hope that the provider is prudent enough to effectively manage what it’s storing. For this, you must be able to trust your IDM provider. But what if you didn’t have to rely on the word of a company? What if there was a way that you could still retain cohesive and holistic control over your identity even if it’s stored elsewhere?
Currently, putting your identity in another’s hands is a very risky endeavour, one that could cost you the integrity of your business. At some point, someone will discover a way to circumvent the provider’s security measures and capture whatever is necessary to decrypt your information. When this happens, only chaos can result from such a cataclysm.
In the end, it doesn’t really matter how many safeguards are placed in front of your data. If those safeguards aren’t controlled by the user (i.e. you), then the user has no way of knowing for sure how safe their data is. The problem is that most users are sufficiently content with having someone else hold all of their keys. It is precisely this kind of complacency that has led to many compromises that we read about on IT news websites. Some of these breaches are even reaching mainstream media outlets such as MSNBC. When it comes to IDM, no one should have a complacent attitude towards security. Your organization’s integrity, your personal dignity and the identities of all of your staff are at stake in this endeavour. You can’t just say, “Yes, please. Give me one of those!”
Instead of relying on someone else to encrypt and decrypt your information for you, perhaps it’s time to rely on yourself.
This is essentially our core philosophy. You create your own key, and encrypt/decrypt your credentials on your own system. The encrypted gibberish that represents your information will be stored on our servers, but it’s up to you to remember your own key. This approach entitles you with the same control over your credentials as if you had stored them in your own devices. The only difference is in the software we provide for you to manage the credentials and control their access within your infrastructure. This leaves you with a more highly-secure store of all your identities.
What Does It All Add Up To?
In short, key management is a principal topic we don’t seem to be addressing sufficiently. Unless we’re ready to have a serious conversation with customers regarding how keys are stored and how they are managed, any other conversation about security is simply null and void. Our encryption algorithms are where all of the magic behind our security happens.
PerfectCloud’s key management allows users to create their own keys, which will not be stored anywhere on its servers. Simply put, users will have holistic control over their identities just as they would if they were running an in-house IDM platform.
Mayukh Gon, Founder & CEO, PerfectCloud Corp. Toronto, Canada