A fundamental principle of enterprise security is robust key management and ensuring critical data is protected by well-managed encryption processes, wherever the data resides.
It is vital that enterprises maintain responsibility and control for their security infrastructure from end to end, a requirement that has become more complex with the advent of the cloud. Since encryption keys are what are used to unlock data, enterprises must maintain control over the keys, and have air-tight protections in place to keep them from becoming compromised in any way.
Multi-cloud use is trending
Over this past year, we have seen more organizations moving their data to the cloud, especially financial services organizations. The movement toward broader acceptance of cloud-based encryption and key management will continue to accelerate.
Enterprises are commonly utilizing multiple clouds for diversification and to fulfill requirements and regulations, coming from applications and organizational units.
As enterprises move greater volumes of their computing workloads to public clouds, encryption key management is increasing in importance. Enterprises expect cloud providers to maintain a robust key management service that includes cryptographic APIs.
Every cloud provider has its own set of APIs and its own cryptographic methods for transporting keys, which adds to the complexity of management. As a result, the processes, procedures, and methods for managing keys are different across clouds, and not just from an API standpoint, but from architecture and process standpoints.
Public cloud vendors — including AWS, Google Cloud Platform, and Microsoft Azure have been making significant progress with data access, key management, and data retention policies, but there is no “one size fits all” at this point.
Why is it important for organizations to retain control of the keys?
- Regulatory issues. Often, organizations are required to maintain escrow of all keys used by all applications, especially applications in scope of certain high-risk environments, including PCI, FDIC, and HIPAA
- Multiple locations across multiple cloud providers. Applications and data may be spread out
- Synchronization. By maintaining ownership and escrow of keys organizations can ensure synchronization across multiple cloud providers
One method gaining popularity is Bring Your Own Key (BYOK), which allows organizations to encrypt data inside cloud services with their own keys — maintained within the cloud providers’ vaults — while still continuing to leverage the cloud provider's native encryption services to protect their data.
Keys are generated, escrowed, rotated, and retired in an on-premises or cloud hardware security module (HSM). A best practice is to use a FIPS 140-2 Level 3 HSM to more fully address compliance and reporting requirements.
While BYOK, offers increased control, it also comes with additional key management responsibilities that are magnified in multi-cloud environments: it falls to each organization to maintain an inventory of all keys used, either directly in the enterprise, or in the cloud. To facilitate this effort, the latest enterprise key management systems that natively integrate with the cloud provider infrastructure are becoming available and can save time and money while ensure consistent key management practices.
When exploring the use of key management solutions, ensure that you are following the best practices for centralizing and simplifying key management functions with multi-cloud ecosystems:
- Holistic. Use a key management system that allows for managing both enterprise and cloud keys. Centralizing this management in a highly available and redundant system that can fulfill all use-cases for key management in the organization. This will lessen the risk of key compromise and allow for organizations to have a holistic view of the key inventory.
- Validation. Store keys in a FIPS 140-2 Level 3-validated device; PCI HSM-validated if managing any type of PCI data.
- Centralized. Make sure you are using a centralized system that integrates with all needed cloud providers.
Questions organizations should ask of their cloud provider:
- Do you offer external key management utilizing BYOK techniques?
- Do you offer a method for the cloud key management system to reach directly out to external key management systems for cryptographic operations?
- How am I able to retain full control over my keys?
- Are the processes and policies consistent so we can minimize the impact on our IT organization?
As we head into 2021, the information security industry is trending toward more options and flexibility. When it comes to the cloud, organizations are increasingly gaining more control over their cryptographic keys, even to the point where they can shift from one cloud provider to another.
Whether it’s managing workloads, handling spikes and surges, providing disaster recovery, holding data at rest, or satisfying audit requirements, having a robust key management system as part of your security infrastructure is ever-critical — particularly in a multi-cloud world.