Concrete solutions for cloud security, part two

In the global market, we’ve noticed a trend of increasing adoption of cloud cryptographic services. Embracing the cloud gives organizations lower capital expenditures, faster deployment times, and all the functionality of on-premises HSMs. Nowadays, organizations are seeking ways to optimize their cloud infrastructure and get more value from it. Many companies are on the lookout for new solutions. Over the course of three articles, we are exploring trends in cloud data security, covering topics such as growing security concerns, evolving business requirements, and innovative solutions.

What is cloud key management?

For many companies, it would be tough to imagine running their workloads anywhere except the cloud. For example, a payment company might host its payment processing web application in the public cloud. They can use the cloud provider’s Platform as a Service (PaaS) offering or Infrastructure as a Service (IaaS) with virtual machines. The cloud provider takes care of hardware provisioning, network configuration, and scaling. The payment company can easily adjust resources on-demand, ensuring their application can handle traffic spikes during peak processing times. They might also deploy their SQL databases through a cloud provider. In short, the payment company has everything they need for their business application in the cloud.

However, this company’s payment processing application uses a lot of encryption keys. Every time it runs a cryptographic algorithm to protect payment data, that algorithm uses a key. This means the company has to implement a key management solution in the cloud to determine things like how the keys are created, distributed, and retired on a regular basis. A key management solution helps our hypothetical payment company to manage its keys effectively. Effective key management leads to a much stronger security posture. In short, cloud key management consists of all the practices used to manage and secure keys with on-premises hardware transposed to a cloud environment.

Benefits of cloud key management

While many organizations have recognized the benefits of shifting data security to the cloud, not everyone has implemented effective cloud key management strategies. The advantages of using a cloud Hardware Security Module (HSM) are evident: organizations can swiftly deploy HSMs in the cloud on-demand.

The benefits of cloud key management are equally compelling. Not only does effective cloud key management alleviate cryptographic sprawl, it also offers organizations higher levels of privacy, security, and control.

Control over encryption keys: By using a cloud key management solution, organizations maintain full control over encryption keys. This grants an organization exclusive access to the encryption keys used to secure their data. With this control, the organization can revoke or rotate keys as needed and manage their lifecycle effectively.

Compliance requirements: The payment industry abides by several regulatory requirements, such as the Payment Card Industry Data Security Standard (PCI DSS). Organizations can deploy robust key management solutions to reach compliance, which serves as a badge of trust for both partners and customers.

Protection against insider threats: Not all security risks come from outside the organization. Insider threats, whether intentional or accidental, can compromise data. Cloud key management allows organizations to define roles and permissions to restrict access to keys, minimizing the risk of internal breaches.

Data security and encryption: Payment companies handle a lot of sensitive data, like credit card information and personally identifiable information (PII). Cloud key management allows them to encrypt this data securely by preventing vulnerabilities from emerging among encryption keys. With proper key management, even if unauthorized users gain access to the encrypted data, they won’t be able to decipher it without the appropriate encryption keys.

Reduced management overhead: Encryption keys should be rotated regularly to mitigate the impact of any potential key compromise. A cloud key management solution allows organizations to automate key rotation and set expiration policies, improving their overall security posture.

Cloud key management models

BYOK

If an organization desires exclusive access to their data, they can implement a cloud key management solution known as bring-your-own-keys (BYOK). BYOK empowers organizations to generate and control their encryption keys, ensuring that they and they alone can access them. By deploying BYOK, organizations retain complete control over how their data is stored and accessed.

To illustrate, consider an organization running applications with a leading cloud service provider such as AWS, Azure, or GCP. These applications use encryption keys to run encryption algorithms, which convert data into encrypted, unreadable cipher-text for storage and transmission. Cloud service providers encrypt customer data within their infrastructure as a standard practice. The cloud providers retain access to the cloud encryption keys in this scenario. However, when an organization is dealing with highly sensitive data and wants additional privacy, BYOK is their best bet for key management.

Key administrator services

Key administrator services (sometimes called key agent services) are a great option for organizations that don’t have a dedicated key management team, or that simply have less experience managing keys. In this case, the organization would source out its key management operations to a trusted third party. The third party key administrator uses their own key management infrastructure to create, load, and manage keys on the organization’s behalf. This can also make it easier for an organization to reach compliance when the administrator uses highly compliant infrastructure to manage their keys.

Google cloud key management

External Key Management (EKM) is way of managing keys in the Google Cloud Platform (GCP). Google Cloud EKM enables organizations to use a third party to create, store, and manage keys in a separate environment from the cloud, enhancing data privacy, access control, and key provenance.

Client-side encryption (CSE) for Google Workspace is a cloud key management solution that is gaining traction. With CSE, data undergoes encryption within a user’s web browser before being transmitted to a cloud provider’s servers. The encrypted data is then stored, accessible solely to the organization implementing CSE. This is another key management solution that organizations trusted with highly sensitive data appreciate.

FAQ

How does cloud key management compare to on-premises solutions, and what are their respective benefits and drawbacks?

Cloud key management offers the advantage of scalability, flexibility, and reduced management overhead compared to traditional on-premises solutions. However, it also introduces new security risks related to data privacy and control. On-premises solutions provide more direct control over security measures but may lack the scalability and convenience of cloud-based systems.

What are the key security risks in cloud key management, and how can they be mitigated?

Security risks in cloud key management include potential data breaches, unauthorized access to encryption keys, and compliance violations. These risks can be mitigated through measures such as robust access controls, encryption protocols, and regular audits of key management practices.

How do different cloud key management models impact data security, compliance, and efficiency?

Different cloud key management models, such as BYOK or Google Cloud’s EKM, offer varying levels of control and convenience for organizations. BYOK provides exclusive control over encryption keys, while key administrator services offer outsourcing options for key management tasks. Google Cloud’s EKM enhances data privacy and control by enabling keys to be managed in a separate environment. Each model has implications for data security, compliance adherence, and operational efficiency, depending on the organization’s specific requirements and preferences.