In the 2009 movie Cloudy with a Chance of Meatballs, food, instead of rain, begins to fall from the clouds. There are so many applications using cryptography solutions in today's hybrid computing environment that clouds are saturated with cryptographic keys. You don’t want to find that yours are falling from the cloud into cyber-criminals hands. In this blog, from our strategic technology partner nCipher, we explore the critical need for key management on the hybrid cloud platform, particularly among banking and financial applications.
According to MarketWatch:
Globally, the financial cloud market is expected to grow from USD 16.55 billion in 2018 to USD 46.03 billion by 2023, at a CAGR of 22.7%. The key driving factors for market growth are increasing digitization across the globe and a growing number of financial institutions that demand advanced IT solutions to gain genuine competitive advantage rather than building and maintaining an expensive IT infrastructure.
However, financial services are one of the most heavily regulated industries for obvious reasons. Virtually every regulation that covers the protection of personally identifiable information includes the financial services industry, as do such widely applied regulations as PCI DSS, the European Union’s eIDAS and PSD2, the Monetary Authority of Singapore’s Guidance, the U.S.’s Gramm-Leach-Bliley Act, and many more around the world.
Consequently, as financial services organizations take advantage of the cloud to better serve their customers, they must keep in mind that loss, theft, or misuse of even a single critical key can have a significant impact on their organizations, including the need to issue breach notifications, loss of revenue, falling share prices, and serious reputational damage.
The recently published Ponemon Institute Global Encryption Trends Study offers some insight into this challenge. The study of 6,457 security and IT professionals in multiple industry sectors across 17 countries found that the top use cases for the encryption of sensitive data are associated with cloud adoption. The use of encryption with public cloud services grew 21% over the past four years, and encryption for containers – one of the main technologies accelerating cloud adoption – grew 18% in just the past three years. When asked what the main driver for using encryption was, 47% of respondents said it was to comply with external privacy or data security regulations and requirements. As stated previously, banks and financial services organizations are more heavily regulated, and therefore demand more robust security to fulfill their auditing and compliance needs.
The encryption market is expanding, and as a result, there are more encryption keys to manage. As cryptographic keys underpin the security of applications and data on-premises, in the cloud, and in hybrid environments, it is essential to properly manage their lifecycle. Encryption is only effective if you protect your crypto keys, and that is where hardware security modules (HSMs) come into play. HSMs protect critical cryptographic keys in a dedicated, hardened, hardware-based appliance that establishes a root of trust over your keys, your applications, and your data. Cybersecurity professionals consider the use of HSMs to be a best practice. Deployed on-premises or in the cloud, nShield HSMs deliver FIPS 140-2 Level 3, and Common Criteria EAL4+ certified key protection, access control enforcement, and secure code execution. Giving organizations the option to supplement or replace HSMs in their data centers, nShield as a Service enables users to extend cloud-based cryptography and key management across multiple clouds, align crypto-security requirements with organizational cloud strategy, and simplify budgeting for business-critical security, and reduce maintenance and monitoring time.
The way forward
Interestingly, the Ponemon study also found that the top 10 HSM use cases in 2020 include public cloud encryption.
Fifty-six percent of organizations surveyed in the study said they would own and operate HSMs on-premises, and access them in real-time by the cloud-hosted applications.
When asked if they would lease HSMs from public cloud providers hosted in the cloud, 42% said they had that on their plan for this year.
Perhaps most relevant to this discussion are the findings related to the importance of key management.
The utilization of HSMs for encryption and key management has increased from 33% in 2013 to 64% at present.
So, more organizations are using hybrid cloud environments to store and process their data, but at the same time, they must comply with increasingly stringent regulations. Key management and HSMs are “key” to their success.
Your critical keys might not be falling from the clouds, but if not well protected, they can certainly fall into the wrong hands. Cryptomathic and nCipher address the key management challenges experienced by banks and financial institutions with a certified bank-grade key lifecycle management platform.
References and Further Reading
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a key management system (2018), by Rob Stubbs
- Buyer's Guide to Choosing a Crypto Key Management System; Part 2: The Requirement for a Key Management System (2018), by Rob Stubbs
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 3: Choosing the Right Key Management System (2018), by Rob Stubbs
NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker
Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
CKMS Product Sheet (2016), by Cryptomathic