Why Banks Must Look Beyond Today’s Crypto Key Management Standards

Stefan Hansen, Marketing Manager, Cryptomathic.

Banking operations are diversifying, fast. Outsourcers control more of many big banks’ core and non-core operations than ever before. The age of mobility has dawned and vastly increased both the number and the kind of devices that are interfacing with banks’ core systems. Widespread adoption of cloud computing across the sector has triggered vast quantities of previously centralized data to be migrated to a remote environment. Put another way, the technological underpinnings of a bank are becoming ever-more disparate, with new links in and out of their infrastructure being established every day. This ‘mass-diversification’ is enabling banks to conduct business faster and with greater efficiency than ever before. The cost, however, comes in terms of security and interoperability.

Cryptography plays a fundamental role in protecting sensitive data, but the variety of proprietary systems and protocols available has added to ‘the complexity challenge’ that banks face when deploying and managing this essential layer of security. The wide-ranging adoption of ‘crypto’ among banks has partly been enabled by the establishment of industry standards, most notably the Key Management Interoperability Protocol (KMIP), which has promoted the standardization of integration protocols for key management systems.

In these changing times, however, if banks want to continue to establish seamless interoperability and realize the operational fluidity promised by their newly diversified infrastructures, they must look beyond KMIP.

The KMIP standard has, fundamentally, been a great force for good in the banking world. Nonetheless, the standard only addresses specific areas or ‘interoperability protocols’ for key management. In other words, it has created a standard integration environment in which keys can be managed. Unfortunately, this is only one small piece in the overall puzzle of crypto management. Banks now need help to securely and efficiently manage the vast number of keys in their distributed environments. They also need help with how the keys can be used to deliver cryptography.

As banks’ systems have diversified, cryptography too has evolved, from a centralised ‘mainframe’ model to a series of distributed stand-alone systems with network-based ‘Hardware Security Modules’ (HSMs). This fragmentation is resulting in banks’ cryptography becoming application-specific or siloed, making it inflexible and difficult to manage, update and audit.  It also leads to important cryptographic decisions, such as algorithm choices, key sizes or key usage, being enforced only on a per-project basis. Such idiosyncrasies then generate bespoke operational and procedural training requirements which, as the bank disappears further down the rabbit hole, lead to spiralling costs and protracted development times.

Fortunately, help is at hand. Advanced cryptography management platforms are emerging from vendors like Cryptomathic, which enable banks to centralise the management of disparate applications protected with cryptography via a single control system, eliminating past-fragmentation, vastly reducing administration and immediately halting the cost spiral that currently threatens the operations of so many large banks.

In one project alone, Cryptomathic has enabled a major high-street bank to deliver a critical application into production in just weeks rather than the anticipated six months, and mitigated the significant cost of HSM hardware by utilising existing capacity from within the business, as identified via its Crypto Service Gateway (CSG) platform.

As banks continue to adopt new technologies, to support both their internal operations and new digital services, their management requirements for cryptography are only going to intensify. Industry standards like KMIP have brought them this far, but banks are now stepping into a different league; their need for centralised control, system-wide visibility, auditability, cost control, resource management and policy consistency is taking them to places where only cryptography specialists can provide appropriate levels of support. To this end, cryptography-as-a-service is now a fast-emerging fintech trend, and one that that, for many banks, can’t be established quickly enough.

Stefan Hansen, Marketing Manager, Cryptomathic.

Banking operations are diversifying, fast. Outsourcers control more of many big banks’ core and non-core operations than ever before. The age of mobility has dawned and vastly increased both the number and the kind of devices that are interfacing with banks’ core systems. Widespread adoption of cloud computing across the sector has triggered vast quantities of previously centralized data to be migrated to a remote environment. Put another way, the technological underpinnings of a bank are becoming ever-more disparate, with new links in and out of their infrastructure being established every day. This ‘mass-diversification’ is enabling banks to conduct business faster and with greater efficiency than ever before. The cost, however, comes in terms of security and interoperability.

Cryptography plays a fundamental role in protecting sensitive data, but the variety of proprietary systems and protocols available has added to ‘the complexity challenge’ that banks face when deploying and managing this essential layer of security. The wide-ranging adoption of ‘crypto’ among banks has partly been enabled by the establishment of industry standards, most notably the Key Management Interoperability Protocol (KMIP), which has promoted the standardization of integration protocols for key management systems.

In these changing times, however, if banks want to continue to establish seamless interoperability and realize the operational fluidity promised by their newly diversified infrastructures, they must look beyond KMIP.

The KMIP standard has, fundamentally, been a great force for good in the banking world. Nonetheless, the standard only addresses specific areas or ‘interoperability protocols’ for key management. In other words, it has created a standard integration environment in which keys can be managed. Unfortunately, this is only one small piece in the overall puzzle of crypto management. Banks now need help to securely and efficiently manage the vast number of keys in their distributed environments. They also need help with how the keys can be used to deliver cryptography.

As banks’ systems have diversified, cryptography too has evolved, from a centralised ‘mainframe’ model to a series of distributed stand-alone systems with network-based ‘Hardware Security Modules’ (HSMs). This fragmentation is resulting in banks’ cryptography becoming application-specific or siloed, making it inflexible and difficult to manage, update and audit.  It also leads to important cryptographic decisions, such as algorithm choices, key sizes or key usage, being enforced only on a per-project basis. Such idiosyncrasies then generate bespoke operational and procedural training requirements which, as the bank disappears further down the rabbit hole, lead to spiralling costs and protracted development times.

Fortunately, help is at hand. Advanced cryptography management platforms are emerging from vendors like Cryptomathic, which enable banks to centralise the management of disparate applications protected with cryptography via a single control system, eliminating past-fragmentation, vastly reducing administration and immediately halting the cost spiral that currently threatens the operations of so many large banks.

In one project alone, Cryptomathic has enabled a major high-street bank to deliver a critical application into production in just weeks rather than the anticipated six months, and mitigated the significant cost of HSM hardware by utilising existing capacity from within the business, as identified via its Crypto Service Gateway (CSG) platform.

As banks continue to adopt new technologies, to support both their internal operations and new digital services, their management requirements for cryptography are only going to intensify. Industry standards like KMIP have brought them this far, but banks are now stepping into a different league; their need for centralised control, system-wide visibility, auditability, cost control, resource management and policy consistency is taking them to places where only cryptography specialists can provide appropriate levels of support. To this end, cryptography-as-a-service is now a fast-emerging fintech trend, and one that that, for many banks, can’t be established quickly enough.