In the 2009 movie Cloudy with a Chance of Meatballs, food instead of rain begins to fall from the clouds. Today’s hybrid computing environment employs so many applications using cryptography that clouds are saturated with crypto keys, and you don’t want to find that yours are falling from the cloud into the hands of cyber-criminals. In this blog, from our strategic technology partner nCipher, we explore the critical need for key management in the hybrid cloud, particularly among banking and financial applications.
According to MarketWatch:
Globally, the financial cloud market is expected to grow from USD 16.55 billion in 2018 to USD 46.03 billion by 2023, at a CAGR of 22.7%. Increasing digitization across the globe and a growing number of financial institutions that demand advanced IT solutions to gain genuine competitive advantage rather than building and maintaining an expensive IT infrastructure are the key driving factors for the growth of the market.
However, financial services, for obvious reasons, is also one of the most heavily regulated industries. Virtually every regulation that covers the protection of personally identifiable information includes the financial services industry as do such widely applied regulations as PCI DSS, the European Union’s eIDAS and PSD2, the Monetary Authority of Singapore’s Guidance, the U.S.’s Gramm-Leach-Bliley Act, and many more around the world.
Consequently, as financial services organizations take advantage of the cloud to better serve their customers, they must keep in mind that loss, theft, or misuse of even a single critical key can have significant impact on their organizations, including the need to issue breach notifications, loss of revenue, falling share prices, and serious reputational damage.
The recently published Ponemon Institute Global Encryption Trends Study offers some insight into this challenge. The study of 6,457 security and IT professionals in multiple industry sectors across 17 countries found that the top use cases for encryption of sensitive data are associated with cloud adoption. Use of encryption with public cloud services grew 21% over the past four years, and encryption for containers – one of the main technologies accelerating cloud adoption – grew 18% in just the past three years. When asked what the main driver for using encryption was, 47% of respondents said it was to comply with external privacy or data security regulations and requirements. As noted above, banks and financial services organizations are more heavily regulated, and therefore demand more robust security to fulfill their auditing and compliance needs.
The market for encryption is growing, and with more encrypted data we have more encryption keys to manage. As cryptographic keys underpin the security of applications and data on-premises, in the cloud, and in hybrid environments, properly managing their lifecycle is fundamental. Encryption is only effective if you protect your crypto keys, and that is where hardware security modules (HSMs) come into play. HSMs protect critical cryptographic keys in a dedicated, hardened, hardware-based appliance that establishes a root of trust over your keys, your applications, and your data. Cybersecurity professionals consider the use of HSMs to be a best practice. Deployed on-premises or in the cloud, nShield HSMs deliver FIPS 140-2 Level 3 and Common Criteria EAL4+ certified key protection, access control enforcement, and secure code execution. Giving organizations the option to supplement or replace HSMs in their data centers, nShield as a Service enables users to extend cloud-based cryptography and key management across multiple clouds, align crypto-security requirements with organizational cloud strategy, and simplify budgeting for business-critical security while decreasing time spent on maintenance and monitoring.
The way forward
Interestingly, the Ponemon study also found that the top 10 HSM use cases in 2020 include public cloud encryption. Fifty-six percent of organizations surveyed in the study said they would own and operate HSMs on-premises, and access them real-time by the cloud-hosted applications. When asked if they would lease HSMs from public cloud provider hosted in the cloud, 42% said they had that on their plan for this year.
Perhaps most relevant to this discussion are the findings related to the importance of key management. The use of HSMs for encryption and key management has grown from 33% in 2013 to 64% today. So, more organizations are using hybrid cloud environments to store and process their data, but at the same time, they must comply with increasingly stringent regulations. Key management and HSMs are “key” to their success.
Your critical keys might not be falling from the clouds, but if not well protected, they can certainly fall into the wrong hands. Cryptomathic and nCipher address the key management challenges experienced by banks and financial institutions with a certified bank-grade key lifecycle management platform. To learn more, register for our webinar: “Key Management for the Hybrid Cloud” on May 21st at 2pm EDT. If you’d like to learn more about nCipher, please follow the company on Twitter, LinkedIn, and Facebook.
References and Further Reading
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a key management system (2018), by Rob Stubbs
- Buyer's Guide to Choosing a Crypto Key Management System; Part 2: The Requirement for a Key Management System (2018), by Rob Stubbs
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 3: Choosing the Right Key Management System (2018), by Rob Stubbs
NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker
Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
CKMS Product Sheet (2016), by Cryptomathic