The Summit will formally get underway at 3pm on March 30th, with talks from 3-5:30, and a reception and dinner that evening. The Summit program will continue at 9am on March 31st, and run until 5pm. The meeting will take place in the Heather and Scripps conference rooms.
Note: The Program below is preliminary and subject to change.
Wednesday, March 30th
1:30pm - 3pm Check-in Social Hall
Session 1: Keynotes
3pm - 3:15pm Opening Remarks
3:15pm - 4pm Dorothy Denning, Naval Postgraduate Institute, "Key Management 30 Years Ago"
4pm - 4:45pm Dan Boneh, Stanford University, "Social Keys: New Directions in Public Key Management"
6pm Dinner Crocker Hall
7pm-9pm Reception Scripps Hall
Thursday, March 31st
7:30am - 9am Breakfast available Crocker Hall
Session 2 : The Practice of Key Management
9am - 9:45am Anthony J. Stieber, "Crisis and Opportunity of Cryptographic Key Management: 2001 to 2031"
The past ten years have seen heavy use of recently retired cryptographic standards. Unfortunately, merely retiring a cryptographic standard does not end the risk; all copies of the previously protected data need to be destroyed or invalidated. However, regulatory requirements and technical limitations make data destruction problematic. Data migration can be expensive, and decreasing storage costs may make data destruction more costly than merely purchasing more storage. Permanent data retention tends to be the default, with long term planning being only a few years; while cryptanalytic threats stretch into decades. Cryptography is increasingly the sole security control especially with remote access, outsourcing, and virtualization. Deliberate storage of terabytes of ciphertext for future attacks is affordable for even less advanced, low-persistence threats. Serious attacks against well established cryptographic systems have become the province of even amateurs. The next two decades may be more interesting than we can imagine, but this presentation tries anyway.
9:45am - 10:30am Christopher Kostick, Ernst and Young, "Auditing an Enterprise Key Management Project"
Companies are deploying encryption solutions, and therefore more key management, in an ever increasing conscientious data protection atmosphere. An all encompassing solution for enterprise key management is years off so companies are deploying multiple key management solutions and continuously creating processes and internal standards to deal with the problem. One method to effectively cope with this management nightmare is to measure each implementation’s effectiveness based on established criteria for managing keys – all keys. An audit of a company’s enterprise key management program, which is the collection of all key management, provides the tool necessary then to measure compliance against that criteria and effect change such that enterprise key management becomes manageable, stable, and consistent no matter what the solution for managing keys. This session will discuss the basic criteria necessary for all enterprise key management solutions, apply the criteria in a form to measure compliance and highlight the pros and cons of such as approach.
10:30am - 11:15am Elaine Barker, NIST
Elaine Barker has been a mathematician at the National Institute of Standards and Technology (NIST) since 1983, and has extensive experience in the development of cryptographic standards and guidelines. Recent development activity has included revising the digital signature standard, providing key management guidance, and providing guidance on the transition of algorithms and key lengths to provide stronger cryptographic protection. NIST Special Publication 800-131A was developed to provide this transition strategy for using cryptographic algorithms and key lengths; SP 800-131B will discuss the strategy to be used by NIST’s validation programs to validate against SP 800-131A. The strategy for transitoning from the validation of FIPS 186-2 to FIPS 186-3 is also being developed. Today’s talk will highlight these two validation strategies.
11:15am - Noon Ramon Krikken, Burton Group, Keynote: "So we're managing a bunch of keys ... now what?"
As expected due to increased regulation and other threats, the use of encryption as a data protection mechanism is skyrocketing. Not wanting to depend on the next layer down, many products at many layers now support performing encryption, having their own methods for managing the various associated configuration and data ... or having no management at all. The situation is much the same, or perhaps worse, for authentication, where use of public keys and certificates is quite often hidden under the covers. Enterprise customers are becoming more educated in these areas, and are looking for advice on their encryption / cryptography road maps - not only in light of crypto-proliferation, but also in how to design cryptography and manage cryptographic data in the changing greater IT landscape. This session will explore customer and industry challenges, and provide industry analyst insight on where and how solutions to these challenges start to emerge.
Noon - 1pm Lunch Crocker Hall
1:30pm - 2:15pm Bob Griffin, RSA, The OASIS KMIP Standard: Interoperability for the Cryptographic Ecosystem
The rapid expansion of concern about data privacy has dramatically increased the use of encryption throughout the enterprise and made effective key management indispensable. This session discusses the critical role of the OASIS KMIP standard in realizing effective and interoperable key management for the cryptographic ecosystem. It focuses on the current version of KMIP, defining the use cases that KMIP can address, how those use cases are being implemented with KMIP and how interoperability is being verified. It will also introduce areas that still need to be addressed by KMIP and how the standard might evolve to address those needs.
Session 3: Key Management and the Cloud
2pm - 2:45pm Steve Farnworth, SafeNet, "Universal Key Management in an Age of Encryption Fragmentation"
There is no question enterprises now face silos of unrelated encryption domains. Operational overhead, auditing deviations, and key rotation hassles are becoming untenable. Even worse, the coming age of the cloud is aligning itself to dramatically increase the use of encryption while decreasing the trust anchoring required for effective encryption. This session will talk about Universal Key Management as an enabling technology to consolidate encryption into a service-based IT asset. In addition, this session will discuss orienting this service towards one that can be logically and easily extended to the anticipated cloud IaaS, Paas, and SaaS services.
2:45pm - 3pm Afternoon Break
3pm - 3:30pm Bob Griffin, RSA, "Where in the world are my keys"
The rapid increase in the use of cloud services for enterprise IT capabilities also increases the risk of exposure of information and identities. Cryptographic techniques such as encryption can play an important role in reducing the risk of exposure, but only if the keys used in these techniques can be effectively managed. This session explores the issues in securing information and information in cloud deployments, and also approaches that can best address these issues. The session will address such questions as what are the security issues that enterprise face in taking advantage of cloud computing? What role can cryptographic capabilities play in addressing these issues? How can the keys required for these cryptographic environments be managed effectively for the cloud? What requirements are there for interoperability across the key management solutions supporting these cryptographic solutions in the cloud? What can the industry do to help support these interoperability requirements?
3:30pm - 4:15pm Jon Geater, Thales, "Key Management Control Strategies in the Cloud Information System"
There is presently much debate around the need to add security to Cloud platforms. But security alone is not enough: proof and trust are also required. How do you prove processes are being followed and keys are being properly used? How do the Cloud providers demonstrate their security stance in a cost-effective way? How can an organization effectively retain the right level of control? There is no single right answer but a variety of key management techniques and deployment models can be used to both assert and demonstrate control in different Cloud scenarios. This talk looks at some of them including examples of using key management to add trust in the Cloud.
4:15pm - 4:30pm Boris Schumperli, Cryptomathic, "A New Approach to Key Management in the Cloud"
4:30pm - 5:15pm Cloud Key Management Panel Discussion, lead by Ramon Krikken of Burton Group
Security for the cloud is top of mind for enterprise security stakeholders everywhere. What does encryption mean relative to cloud architectures? What benefits can key management provide to security architects that have data migrating out of their networks? Vendors are proposing a panoply of solutions, but which ones will actually prove to be effective? This panel will put the hard questions to the experts, and let them debate these crucial issues.