Does anyone remember double albums aka double LPs? I’m talking vinyl records of course, before CDs changed the industry and with it the maximum duration of material that could be packaged into a single disc. If a band had more than 40 minutes of material available, the only options were to cut some tracks or release a double album. Often double albums were released when bands were at their creative peak such as the Rolling Stones album Exile on Main Street, Jimi Hendrix’s Electric Ladyland, the Clash’s London Calling, Prince’s Sign of the Times or even Trout Mask Replica by Captain Beefheart and his Magic Band if you appreciate the more avant-garde end of the rock spectrum! I can still remember the thrill or buying some of these classic double LP records from the local record store. They were a full on artistic statement, usually sporting a lavish gatefold sleeve, thoughtfully crafted artwork often with detailed sleeve notes and sometimes lyrics sheets. They were great to pore over as you gave the vinyl record its first spin on the record turntable.
While cogitating on the art of double, I’ve just heard about Microsoft’s latest new double release. No it’s not on vinyl, but it is called Double Key Encryption (DKE). Part of their Azure Information Protection offer, DKE is targeted at those highly regulated organizations such as financial services, enterprise and healthcare where specific data requires that added level of protection, control and assurance. We are talking here about secret sauce recipes, pharmaceutical research, inventions, patents, financial algorithms and so on that you want to keep out of reach from nefarious actors or your competitors. Essentially a company’s crown jewels. You know the script… failure to protect this data can lead to not just the financial loss but also the substantial brand reputation of a company.
Up until now Microsoft’s Hold Your Own Key (HYOK) enabled customers in the Azure Information Protection (AIP) environment to hold their encryption keys on-premise. This required you to operate your own Active Directory, your own Rights Management Server (RMS), and your own hardware security modules HSMs for key retention. The limitation with HYOK was it required a Microsoft footprint on-premise. With DKE there is no RMS on-premise requirement. In essence Microsoft have empowered the customer (via Github reference code) to develop their own web service to provide their cryptographic key. Reassuringly, the customer owns and controls the code.
Okay, so you are wondering where does double fit into this? Well as the name suggests there are two cryptographic encryption keys. One that Microsoft uses and one for the customer. Microsoft has no access to the customer’s key. So we have the archetypal dual control construct at play. In the vinyl world the equivalent would be two DJs each behind a SL1200 Technics turntable deck, each with a vinyl disc from a random double album, sourced from an infinite warehouse of double albums, ready to play. It’s a bit of a loose analogy but imagine no sound will be heard until both DJ’s lower the stylus onto their respective vinyl record in essence encrypting or decrypting their respective key. This is dual control and you the customer are in full control!
Unlike HYOK, with DKE you don’t just control your key, you also control the software that manages it. So if you are a customer with any of these requirements, then DKE might be for you:
- A need to protect those sensitive high value artefacts
- Looking for the added security and control of your keys
- Wanting to leave less of a software footprint for your Cloud Service Provider to manage and maintain?
But that does beg the question, who will write that code for you? Code that needs to be not only well written – following best practice security principles – but also software code that is hardened and production ready ensuring it will pass the most robust compliance audits. That’s when you might want to reach out to Entrust. Like some of those classic double vinyl albums we have been around for several decades with our proven nShield hardware security modules. And of course when it comes to handling your vinyl, you need a safe pair of hands. Entrust can offer that safe pair of hands for your DKE project.
So why not dig out your vinyl from the attic, especially those classic double albums and give DKE a spin!
For more information on what nShield HSMs can do for your business click here.
*** This is a Security Bloggers Network syndicated blog from Entrust Blog authored by Adam Gothmann. Read the original post at: https://blog.entrust.com/2020/12/double-key-encryption/