Mastering key management in a multi-cloud environment
As multi-cloud environments become commonplace for the majority of enterprise businesses, key management across major cloud providers creates a cloud-to-cloud obstacle as each provider utilizes a platform-specific method of key management. All major cloud providers protect customer data by using transparent encryption, which results in the cloud platform managing the encryption keys. Platform-centric key management creates key management control issues when users & applications are utilizing multiple cloud platforms. From this multi-cloud key management obstacle, the Bring Your Own Key (BYOK) cloud key management methodology was born as a platform-agnostic approach to reducing multi-cloud key management complexity.
Last week, we hosted a webinar on this topic, and the on-demand recording is available at GoToStage.
What is BYOK?
The Bring Your Own Key cloud key management methodology allows for key generation and escrow outside of the cloud platform, ensuring greater control for the organization. After generation, keys are transported to the cloud for utilization. Key material is still stored on cloud provider servers, so it’s important to understand that BYOK is not a way to completely offload access to keys from the cloud provider.
Key Life Cycle Management
Cryptographic Key Portability
Key generation and escrow outside cloud platform avoids vendor-lock affording clients the flexibility to move to a new cloud provider if a contingency plan calls for migration.
Disaster Recovery Between Clouds
Organizations that utilize a separate cloud platform as a failover mechanism in disaster recovery situations benefit greatly from BYOK as the necessary keys are generated outside the former cloud provider and do not need to be translated for the D/R cloud instance.
BYOK Use Cases
- Database encryption (TDE)
- Application encryption
- Keys backed or encrypted by cloud HSM
Multi-Cloud Key Management with Futurex
Futurex helps clients solve these multi-cloud key management issues by implementing a BYOK solution through our hardware or cloud Crypto-as-a-Service offerings. The KMES Series 3 is our full lifecycle key management server which combines a key management application and hardware security module into a single appliance. The KMES Series 3 provides many key management features including automatic key rotation. For organizations that exercise a company-wide policy to avoid on-premises hosting when possible, VirtuCrypt offers the cloud key management required for the BYOK approach.
- Crypto Agility: switch between cryptographic algorithms without rewriting applications or deploying new hardware
- Automatic Key Rotation: Futurex product reaches out to cloud providers and rotates keys based on preset policies.
- Multitenancy: Divide out key groups across your organization limiting sensitive material access to only users and applications that require access
Watch the entire webinar at GoToStage or learn more about how Futurex can help secure your multi-cloud environment, centralize key management and avoid cloud vendor lock-in by speaking with a Solutions Architect today.