This article discusses how Cryptomathic CKMS addresses concerns that financial institutions may have regarding key management in the cloud - by bringing banking-grade lifecycle key management and BYOK to Amazon Web Services (AWS) as a hybrid-cloud banking architecture.
Meeting a Widespread Need
As banks and financial institutions adopt digital transformation and the platformization of their services, there is an increase in migrating IT services from on-premise, self-managed data-centers to public cloud services.
Cloud computing provides major advantages to the banking and financial sector. Of course, there is the promise of improved bottom lines because of the lower capital costs it offers. By embracing the cloud’s native elasticity and resilience, banks can benefit from aligning their goals for delivery of products and services, rapid and agile development. This allows banks and other financial institutions to differentiate themselves from their competition.
Security concerns remain as a significant barrier standing between adopting cloud computing for many business-critical financial applications. Due to the nature of the business conducted by banks and financial institutions, placing their sensitive data, critical business processes, and corporate IP on a publicly-accessible platform risks attracting cybercriminals and accidental exposure of critical data to service providers. Therefore, the importance of professional design and management of data security cannot be understated.
Critical Role of Cryptography
For virtually all applications, cryptography is the foundation of data security and is used to authenticate processes and users while protecting data and communication. This is evident in many banking applications where cryptography is used to deliver their core value. For example:
- Banking and financial transactions use multiple cryptographic functions.
- A bank’s online existence is defined by the ownership of a set of cryptographic keys.
While many businesses depend on cryptography to protect their critical data and processes, banks and financial institutions need a higher level of assurance for their cryptographic processes. Otherwise, there is an increased risk of fraud from compromises that could potentially divert monies into the accounts of cybercriminals.
Protecting Data and Privacy
Typically, deciding to place sensitive data in the Cloud depends on the data security and privacy assurances provided by the hosting company. Additional critical considerations include:
- IT architecture, both software and hardware
- Physical infrastructure for the protection of the IT architecture and its perimeters
- Procedures, including their security-related processes and personnel involved
Without specific precautions and protections, banks lose control in a hosted environment. Their data could be exposed to the hosting provider’s personnel or unauthorized third parties.
Maintaining Key Ownership
Often by default, the responsibility for protecting data and communication falls under the cloud service provider's responsibility. However, this means that the data encryption keys are owned by the cloud infrastructure provider, which could mean a sticky lock-in situation. Switching providers in the future could be difficult and lead to data loss or challenging migration procedures. Moving data throughout multiple clouds is also hampered through such a lock-in. Therefore, banks and financial institutions need to avoid lock-ins of their cryptography keys.
Addressing Key Ownership in Hybrid-Cloud or Multi-Cloud
The likelihood that all data and operations will be limited to one cloud location is extremely thin. A bank may choose AWS for their data and applications and use another cloud to operate other processes, including SAP or MS Azure, to operate other applications, including management applications. Bringing one or more cloud service platforms together can be challenging when considering key ownership, along with having a local data-center available for on-premise services. Therefore, there should be no limits on data transit because of distributed key management or key ownership.
Compliance with Security Standards
The finance and banking sector is subject to a higher level of regulation, which presents a major challenge. Banks must prove their compliance to security standards, such as PCI DSS, by conducting annual audits. When cryptography and keys are out of the banking or financial institution's control, it can be extremely difficult, if not impossible, for the audited entity to demonstrate its compliance. These mandatory audits are required to maintain banking licenses.
BYOK for AWS Cloud Key Management
Since 2016, AWS has offered the ability to BYOK to use with KMS-integrated services and custom applications. Cryptomathic CKMS seamlessly integrates with AWS to centralize key management and keep customer data safe. This gives users, such as banks and financial institutions, control over their keys' creation, lifecycle, and durability. Thus, CKMS operates as an external key management system for AWS.
Using the BYOK approach, banks are provided with more control with managing their data security. This provides an additional layer of security to AWS’s already secure encryption framework.
Choosing the BYOK option allows a bank or financial institution to exclusively own and control its encryption keys. The bank (user):
- Creates their keys.
- Maintains their keys.
- Determines whether its data is active or at rest.
- AWS or third-party personnel from accessing resting data without having possession of user keys.
- Maintains control of data and application movements across a secured hybrid cloud.
Advantages of Using Cryptomathic CKMS for BYOK with AWS
Banks have full control of their data encryption in AWS’s public cloud by integrating Cryptomathic CKMS with AWS’s security architecture. Users of CKMS experience such advantages as:
- Comprehensive security solution. The BYOK encryption keys cover all types of resting data, including boot and data-persistent disks.
- Additional peace of mind. AWS uses AES-256 to encrypt its users’ cloud data. Since AWS does not retain the user’s BYOK keys, its personnel are prevented from reading or decrypting resting data.
- Works faster without the expense of added overhead. AWS encrypts users’ data at rest. BYOK gives banks full control without added overhead.
Bringing Banking-Grade Security to Hybrid-Cloud Environments
AWS services can be integrated into a hybrid-cloud environment. This allows data and services to be integrated into new competitive value propositions. Under the guidance of customer requirements and market demand, services can gradually evolve.
Cryptographic key management architecture must allow flexibility and agility. Management of key lifecycles should be central and automated while remaining under the control of the bank and being auditable. Data and applications can be moved to new hosting locations, whether between a local data-center and the AWS cloud or spread across various cloud platform providers. BYOK with Cryptomathic CKMS makes this much easier to accomplish.
With more than two decades of experience, Cryptomathic CKMS offers leading key management services for the banking industry and lessens the burdens of digital transformation across the hybrid cloud.
References and Further Reading
- Selected articles on Bring Your Own Key (2017 - today), by Matt Landrock, Stefan Hansen, Ulrich Scholten and more
- Cloud Threat Report 2020 (2020), by Oracle Corporation & KPMG International Limited
- Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
- Selected articles on Key Management in the Cloud (2017-today) by Edlyn Teske, Matt Landrock, Rob Stubbs, Stefan Hansen, Ulrich Scholten, Joe Lintzen and more
- Key Management in a Multi-Cloud Environment - A blessing or a curse? (2017), by Johannes “Jo” Lintzen
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a key management system (2018), by Rob Stubbs
- Buyer's Guide to Choosing a Crypto Key Management System; Part 2: The Requirement for a Key Management System (2018), by Rob Stubbs
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 3: Choosing the Right Key Management System (2018), by Rob Stubbs
NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker
CKMS Product Sheet (2016), by Cryptomathic