There is an ever increasing trend to virtualise IT services and we see this in nearly every facet of IT, from data centre provisioning to fine-grain identity management.
Virtualisation allows you to rationalise and optimise services in a cost effective manner and its benefits are largely undisputed.
Virtualising security services, however, is intuitively contradictory because it threatens to extend the boundaries of what needs to be secured.
How can you securely virtualise services when the act of virtualisation itself means that you are extending security processing boundaries and fragmenting cryptographic keys and algorithms?
Virtualising security services has traditionally been an anathema and goes against classical security education and training.
In particular, it is counter-intuitive in the context of cryptography, where typically there has been a push to consolidate and harden services, most notably with Hardware Security Modules and Certificate Authorities.
However, there is increasing pressure to make cryptographic services more
effective and manageable. As you increase the number of items that are being managed, such as devices or keys, the scalability becomes more difficult, and it can quickly become non-linear.
In fact, having static security devices next to a group of dynamic virtual servers can “bottleneck” some of benefits of virtualisation. When this happens, an organisation either increases the amount of resources involved in this activity or reduces the overall management afforded to all items under that administration, reducing the overall security posture.
There is a strong business case for helping large users of cryptography such as banks or mobile operators become more efficient with how they perform cryptographic key management.
In large global organisations there is also a strong need to have the right services at the right place, which further strengthens the case for virtualisation.
The most promising approach to virtualising security while maintaining the cost-benefits of virtualisation is open Application Programming Interfaces (APIs) as well as device and application interoperability.
However, this poses a significant challenge for many vendors in the industry. Make devices interoperable and they can be quickly and easily swapped out for another vendor's products, a luxury ill-afforded to large procurers of these types of products and services at present.
In order to achieve proper virtualisation, interoperability and open standards are fundamental requirements.
Large organisations are under increased pressure to reduce costs whilst effectively managing their risks.
As IT footprints get larger, a primary manner in which this can be effectively achieved is through the virtualisation of cryptographic services.
Large corporate users of cryptographic services are already putting pressure on vendors to produce products which are open standards-based and can be more efficiently managed along with other vendors' devices and applications. The threat is out there.
The next logical step will be to look at cryptography as a service, which can be virtually delivered.
This is the evolutionary trend of cryptographic services, which will inevitably push systems, devices, applications, cryptographic key material and the data it protects further into the cloud.