“Halt! Who comes there?” These words are shouted as part of the Ceremony of The Keys at the Tower of London. This time-honored ceremony dates back hundreds of years, its sole purpose being not only to keep intruders out, but also to protect the keys that control access.
The Tower of London is famed for many things, at one time acting as a prison, and more recently, housing the Crown Jewels. Modern security has enabled the Ceremony of the Keys to be viewed by visitors. The centuries old ritual is now guided more by custom, than function. This is a good development, because the key protection method that worked a few centuries ago suffers under today’s standards.
The key ceremony at the Tower includes a grand display of the gate keys, which could now result in easily duplicating those keys, as occurred a few years ago when the Transportation Safety Administration unwittingly displayed the full set of keys to unlock their “approved” luggage locks.
Similar to the presentation of the Chief Yeoman Warder, whose job is to ensure that the Tower is secure from intruders, your key operations must be secure from prying eyes. Prior to engaging in any security key operations, whether it is key creation, key storage, all the way to key disposal, only those individuals authorized to engage in that activity should be allowed to participate. This means that those who are authorized to work with the keys must be securely authenticated.
One of the most notable weaknesses of the Key Ceremony is that the Yeoman is the primary custodian of the keys. Even though this was jeopardized once when the Tower was struck by a bomb, the sole possessor of the keys remains to this day, a single individual. For the record, the Yeoman dusted himself off after the bombing, and the ceremony ran a little behind schedule.
As with all things in security, redundancy is a critical component of an effective protection program. Trusting the keys to the kingdom to one individual can have dire results if that person is unavailable. The best way to protect your digital keys is not only to have more than one person in charge, but to practice segregation of duties, ensuring that more than one person is required to engage in any key activities.
A segregation, or dual control strategy gives multiple people a “shard” of the key, thus ensuring that the entire key could only be reconstructed if all are present. However, the challenge of gathering multiple participants in the same room became severely challenged during the pandemic, where social distancing prevented such in-person meetings. Fortunately, the development of quorum-based dual control offered a new way for key participants to gather virtually, without compromising the integrity of the keys.
Another weakness of the key ceremony is that the Yeoman, that is, the same guy who shows up with the keys and locks the gates, is also the keeper of the Queen’s keys. After the gates are locked, the keys are taken to the Queen’s house, and locked up, under the watchful eye of this single individual. Digital keys should not be locked just in a single room. Besides affording the security of a hardened facility, the best method of storage is using a Hardware Security Module, whose features ensures the greatest possible security.
The Ceremony of the Keys concludes when the Yeoman raises his Tudor bonnet and shouts, “God preserve Queen Elizabeth” and a bugle plays “The Last Post.” While there are weaknesses in this august and stately ritual, it too should be preserved, as it is an important lesson in history, as well as early methods of security. Perhaps if modern security teams added similar pomp and formality to their digital key protection strategy, its importance would gain higher recognition in many organizations, preventing costly key compromise and abuse.
If you are ready to learn more about securing your digital keys ceremony, as well as protecting the integrity and confidentiality of associated certificates, visit us at Venafi.