Take Control of Your Keys: BYOK for the MS Azure Key Vault

This article explores how Cryptomathic CKMS combines BYOK for the MS Azure Key Vault with banking-grade key lifecycle management; to address the concerns banks have regarding key management in the public cloud.

Banking Security Concerns

More and more banks and financial institutions are adopting digital transformation and choosing the path of platformization of their services. This has created increased migration of IT services from self-managed, on-premises data-center to public cloud services.

There are major advantages to be gained from cloud computing for the banking and financial sector. Because of the lower costs cloud computing provides, banks and financial institutions can expect a reduction in their operating costs. These institutions also benefit when they embrace the cloud provider’s meshable services (e.g., MS Dynamics) as well as the cloud’s native elasticity and resilience to align their goals for rapid, agile development and delivering their products and services to their customers.

Security concerns, however, still remain a significant barrier between banks choosing the cloud for many of their business-critical financial applications. The financial industry is burdened with the inherent risk of being highly attractive to cybercriminals and, of course, their sensitive data being accidentally exposed to third-party service providers. Therefore, the strict management of data security and professional design is of great importance.

Cryptography Plays a Critical Role

Cryptography remains the foundation of data security for virtually all applications, especially those used by banks. It is used to authenticate users and processes while keeping data and communications protected. For instance, multiple cryptographic functions are used for every single banking and financial transaction, and a bank's online existence depends on the complete control and ownership of numerous cryptographic keys.

Banks require a higher level of assurance for their cryptographic processes than many other types of businesses do. Without that assurance, they are at an increased risk of compromises that could fraudulently transfer their customers’ funds to cybercriminals.

Data Security and Privacy Assurances

Before choosing to put sensitive data in the cloud, banks and financial institutions need to consider the host's data security and privacy assurances. However, these are not the only concerns; additional critical considerations include:

• Procedures, including personnel involved and security-related processes
• IT architecture, including hardware and software
• Physical protection of the IT architecture and its perimeters

Maintaining Ownership of Keys

Often, the cloud service provider owns the data encryption keys used to protect data and communication by default. This makes it difficult for banks and financial institutions to use data across the hybrid cloud or to switch providers in the future and could lead to data loss or problems with migrating data.

To avoid a “lock-in,” it is best that banks and financial organizations take the BYOK route when starting with the cloud. But there are other reasons why BYOK is a better option because the most likely scenario for most data and operations is that multiple clouds may be used for different things. For example, a bank may use AWS for its data and applications. However, they may choose to use a different cloud provider to host their other processes, such as MS Azure, to operate other applications, like their management applications or MS Dynamics.

Multi-cloud or hybrid-cloud platforms with a local data center for on-premises services can be a challenge when key ownership is spread out along various cloud hosts. But even more concerning is that the banking and finance sector is highly regulated. Banks must prove their compliance to security standards, including PCI DSS. Thus, if a bank does not own its cryptographic keys, it could be impossible for them to prove its compliance during an audit.

The Advantages of the MS Azure Key Vault

With an Azure Information Protection subscription, Microsoft gives organizations the option for BYOK versus using a default key generated by Microsoft. However, to protect such customer-generated keys, they must be stored in the Azure Key Vault. The Azure Key Vault offers centralized and consistent key management solutions for cloud-based and on-premises services requiring encryption.

There are multiple benefits to using the Azure Key Vault, including:

• Support for a number of built-in interfaces for key management.
• Role separation, which is recognized as a best practice for security.
• It is available in various locations and provides support for organizations restricted to where their master keys can reside.
• It uses separate regional security domains for its data centers.
• It allows security administrators to access, store, and manage certificates and passwords for other services requiring encryption for a seamless user experience.

MS Azure plays three major roles with BYOK management:

• The Azure key vault helps secure MS Azure, a cloud infrastructure to create and deploy its own "greenfield" applications
• MS Dynamics and its whole ecosystem can be secured from the Azure Key Vault
• MS Office 365 can be secured from the key vault

What Cryptomathic Brings to BYOK with MS Azure Key Vault

Cryptomathic’s key lifecycle management system, CKMS, provides unique HSM-agnostic functionality to banks and other security-sensitive organizations to retain lifecycle control of critical keys while using MS Azure’s platform.

BYOK keys in the Azure Key Vault can be automatically pushed to the cloud by CKMS according to policies created by the business. In addition, these same keys can be delivered securely to third-party cloud vendors and on-premises applications.

Since CKMS is HSM-agnostic, the customer is free to choose their own HSM vendor. This approach gives banks and other financial institutions a wide range of support for their applications in the cloud and in their on-premises data centers, along with the underlying support of their preferred brand of HSM.

References

• Read more articles about secure banking-grade key management of MS-Dynamics (cloud or on premise) together with other cloud or datacenter applications (2019 - today), by Stefan Hansen, Ulrich Scholten and more
• Encryption in Microsoft Dynamics 365 (retrieved May 2020), by Microsoft Corporation
• Import HSM-protected keys to Key Vault (retrieved May 2020), by Microsoft Corporation
• Import HSM-protected keys for Key Vault (legacy) (retrieved May 2020), by Microsoft Corporation
• Import HSM-protected keys to Key Vault (preview) (retrieved May 2020), by Microsoft Corporation
• Transform Banking with the Microsoft Dynamics 365 Banking Accelerator (2019), by James Galvin, Chad Hamblin, Carr Phillips at Microsoft
• Selected articles on Key Management in the Cloud (2017-today) by Matt Landrock, Rob Stubbs, Stefan Hansen, Ulrich Scholten, Joe Lintzen and more
• Key Management in a Multi-Cloud Environment - A blessing or a curse? (2017), by Johannes “Jo” Lintzen
• Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a key management system (2018), by Rob Stubbs

• NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker

• Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more

• CKMS Product Sheet (2016), by Cryptomathic

• White Paper – Deploying CKMS Within a Business (2017), by Cryptomathic

• Perspectives for Web Service Intermediaries: How Influence on Quality Makes the Difference (2009), by Ulrich Scholten, Robin Fischer and Christian Zirpins