Infrastructure Services are definitely undergoing a major transformation. How does one navigate the web of emerging technology trends and stay ahead of the game? Read on to learn more on our Infra Matters blog.

« September 2008 | Main | April 2010 »

March 30, 2010

ITSM – Thou shall be omnipresent!

In my last blog, I had given a primer about what is Cryptography and had promised an insight into how ITSM can join hands with cryptography. Delivering on that promise, let’s go ahead and see how this can be accomplished.

The climax of the last blog was the assurance that ITSM will cater to requirements of managing cryptographic keys. So let’s look at one of the ways (definitely one that worked) to do this.

Philosophers and Physicists usually look at any matter as abstract beings or as packets of energy respectively. As a process consultant, we can’t help but looking at anything that can be itemized as potential Configuration Items(CIs)! So in this quest for CIs, we saw encryption keys as potential assets and managing of these encryption keys as services. This is where we brought about a marriage of ITSM with Cryptography. This is where the plot thickens, eh?

Simply put, we helped the client bring all cryptographic operations together and to be perceived as a service offered by one centralized team to the entire Organization! An experienced eye of an IT consultant will start wondering about the scale of re-org and responsibilities-sharing that would be required here. But then, nothing is impossible and it is said that you can move mountains if you move it one rock at a time. This was exactly the approach that we used. We helped the client with analyzing the existing process, engaging with numerous stakeholders within the Organization and reading the pulse of each stakeholder in terms of what positives and negatives they see in the present and proposed structure.

This was a very important step as it not only gave us a better understanding of client requirements, but also helped us in pushing this knowledge into the stakeholders that they can expect a new process. Change, as we all know, takes some time getting accustomed to. So we were able to feed these tidbits so that the stakeholders would be prepared for a change.

Since cryptography was provided as a service to the entire organization by one single team, what better way to manage it other than ITSM? ITSM concepts have such a broad acceptance as well as developments that there are standards (ISO), best practices (ITIL) and Frameworks (COBIT) available to help us create the best possible process for IT Service Management. In fact, it was an eye-opener for most of us as we could not only find inroads for ITSM within concepts like Cryptography, but were also able to deliver excellent consulting engagements which helped in developing an excellent process for operations.

In banking world, the lion’s share of the cake called Cryptography consists of Key Management. These encryption keys guard the information that is being sent from one point to another. But with the mass of information that is transmitted you can only imagine the number of keys that we are talking about. At home, I have a key stand which can hold up to 8 bunches of keys and still I keep fumbling for them when I need them! J Well, here the numbers run in the range of more than 50,000! We studied the Key Management process and created an updated process which had a symbiosis of ITSM processes and Cryptographic processes.

Once this foundation was established, we proceeded to build the house made of ITSM cards by evolving a complete Service Management Framework. This included various facets of ITSM such as Request Management (when encryption keys are requested), Incident Management, Problem Management and Change Management, Access Management (to keep a track of all access to encrypted facilities), Asset Management(remember, all keys are assets now!), etc. (Just to name a few)

So you can only imagine the might of these ITSM practices which could accommodate all these aspects into Cryptographic operations, provide a dependable service which was also scalable, standardized and easier to track, record and report.  I had once written how we do have ITIL in our lives in an earlier blog. Coupled with this latest experience, I can only say – Do not under estimate ITSM! It is soon becoming omnipresent in the IT world.

March 29, 2010

Cryptography can be ‘ITSMized’

I just finished working on an engagement which involved ITSM consulting. We work on so many projects which involve ITSM consulting every day. So what is so special about this one? – Well, this one was in a completely new field (for ITSM) called Cryptography. Rarely do we find ITSM being applied to cryptography. But after having worked on this one, I would vouch for the fact that cryptography and ITSM do go hand in hand.

Cryptography can be explained, very informally, as all technologies that we use to keep our communication confidential. But in actual, Cryptography has a lot in it than what meets the eye at first glance. Now, confidentiality is a domestic animal for two fields/industries, viz. Defence and Banking. It is in these two sectors of the industry that you will find the need for confidentiality and secrecy to be the maximum (other than when your CEO sends a memo to your boss!)

Defence, being defence, let’s not talk about it! J So in banking, how does cryptography and more importantly, Technology help confidentiality? In today’s world, confidentiality is not just about getting a message across from A to B with no one knowing about it. It could mean multiple aspects like A should be sure that only B gets it, while B should be sure that it is actually A and not AA who has sent it. And with the kind of peeping eyes that Technology offers nowadays when A communicates with B, some C sitting somewhere will be monitoring it. So technology should satisfy all these aspects when A decides to communicate to B. And this gets more complex when B decides to respond to A!

Yes, we know that cryptography helps address all these concerns that A and B have. A quick discussion about how this is done is in order. A majority of these things are accomplished by the usage of encryption keys. Let us see how these encryption keys work in the upkeep of the confidentiality.

A has some news on a piece of paper, which he puts into a box and locks with his key A11. He then sends it to B with the confidence that nobody can open that box. Then he makes arrangements to secretly get his key A1 to be sent to B so that B can open the box and read the information. One would say – an ancient approach towards secrecy! But then there is always this inherent danger that the messenger who is carrying A1 to B might get waylaid by the Huns while trying to cross Kabul. So this necessity gave birth to an invention – Public Key Cryptography.

So what do A and B do now? A creates a pair of keys A21 and A22. He keeps A21in his storage cabinet at home and stores A22 in a public library (let’s say the UN which has amicable relations with everyone!). B, on his part, also does the same thing and generates B21 and B22. Now A locks the box with B22 which is available in the public library and sends the box to B. When B receives the box, he uses B21 to unlock the box and reads the information. Now, in this method, even if the messenger is waylaid, the Huns can try their best but still cannot unlock the box as only B21 can unlock it.

This story of keeping A and B happy and the Huns at bay is the crux of Cryptography.

This method of having one of the keys available publicly and the other private forms a part of what is known as PKI (Public Key Infrastructure).

A typical Organization will have at least thousands of keys which then brings in the problem of many such as

·         Who has encryption key pair and who doesn’t in my Organization?

·         How many encryption key pair requests are genuine?

·         How many encryption keys that have been generated are being actually put into use?

·         And one of the biggest question (call it ‘the’ question) – Where is this particular Key pair x and y now?

So it would seem that as the Organization gets bigger and bigger, it is better to manage these keys centrally. A centralized Key Management solution will be in a position to provide answers to these questions that were posed above.  In my next blog, we will see how this was accomplished (successfully!)