Cryptography can be ‘ITSMized’
I just finished working on an engagement which involved ITSM consulting. We work on so many projects which involve ITSM consulting every day. So what is so special about this one? – Well, this one was in a completely new field (for ITSM) called Cryptography. Rarely do we find ITSM being applied to cryptography. But after having worked on this one, I would vouch for the fact that cryptography and ITSM do go hand in hand.
Cryptography can be explained, very informally, as all technologies that we use to keep our communication confidential. But in actual, Cryptography has a lot in it than what meets the eye at first glance. Now, confidentiality is a domestic animal for two fields/industries, viz. Defence and Banking. It is in these two sectors of the industry that you will find the need for confidentiality and secrecy to be the maximum (other than when your CEO sends a memo to your boss!)
Defence, being defence, let’s not talk about it! J So in banking, how does cryptography and more importantly, Technology help confidentiality? In today’s world, confidentiality is not just about getting a message across from A to B with no one knowing about it. It could mean multiple aspects like A should be sure that only B gets it, while B should be sure that it is actually A and not AA who has sent it. And with the kind of peeping eyes that Technology offers nowadays when A communicates with B, some C sitting somewhere will be monitoring it. So technology should satisfy all these aspects when A decides to communicate to B. And this gets more complex when B decides to respond to A!
Yes, we know that cryptography helps address all these concerns that A and B have. A quick discussion about how this is done is in order. A majority of these things are accomplished by the usage of encryption keys. Let us see how these encryption keys work in the upkeep of the confidentiality.
A has some news on a piece of paper, which he puts into a box and locks with his key A11. He then sends it to B with the confidence that nobody can open that box. Then he makes arrangements to secretly get his key A1 to be sent to B so that B can open the box and read the information. One would say – an ancient approach towards secrecy! But then there is always this inherent danger that the messenger who is carrying A1 to B might get waylaid by the Huns while trying to cross Kabul. So this necessity gave birth to an invention – Public Key Cryptography.
So what do A and B do now? A creates a pair of keys A21 and A22. He keeps A21in his storage cabinet at home and stores A22 in a public library (let’s say the UN which has amicable relations with everyone!). B, on his part, also does the same thing and generates B21 and B22. Now A locks the box with B22 which is available in the public library and sends the box to B. When B receives the box, he uses B21 to unlock the box and reads the information. Now, in this method, even if the messenger is waylaid, the Huns can try their best but still cannot unlock the box as only B21 can unlock it.
This story of keeping A and B happy and the Huns at bay is the crux of Cryptography.
This method of having one of the keys available publicly and the other private forms a part of what is known as PKI (Public Key Infrastructure).
A typical Organization will have at least thousands of keys which then brings in the problem of many such as
· Who has encryption key pair and who doesn’t in my Organization?
· How many encryption key pair requests are genuine?
· How many encryption keys that have been generated are being actually put into use?
· And one of the biggest question (call it ‘the’ question) – Where is this particular Key pair x and y now?
So it would seem that as the Organization gets bigger and bigger, it is better to manage these keys centrally. A centralized Key Management solution will be in a position to provide answers to these questions that were posed above. In my next blog, we will see how this was accomplished (successfully!)