Many industries, including banking, finance and healthcare are required to comply with data security standards under regulations like SOC, NIST, PCI, GDPR or HIPAA. Such industries can be subject to costly penalties if they are unable to prove their compliance in the event of a security breach.
This article discusses how Cryptomathic’s AWS BYOK Service can help address compliance requirements by providing enhanced auditability and access logs for encryption keys when using AWS cloud services.
When using cloud services, it is critical that sensitive data is kept protected by encryption. In order for this data to be used by third-party apps, e.g. AWS S3, there must be access to the cryptographic keys. In many cases, the keys are managed with AWS KMS. When AWS KMS is used, the user can get ownership and control over the AWS KMS keys by using the ‘Bring your own key’ (BYOK) concept, as provided by Cryptomathic’s AWS BYOK Service. A SaaS key management solution like Cryptomathic’s AWS BYOK Service can provide an audit trail that can track the full life-cycle of encryption keys to prove compliance with regulations.
Key Management Compliance
With the threat of costly consequences from governing authorities for not documenting and proving compliance, it is crucial that organizations ensure that their key management is audited periodically. All keys must be managed according to the guidelines set by compliance regulations, whether they are being used internally or externally with third-party apps like AWS Services.
The process for auditing varies depending on the industry, the type of environment and other factors. Part of the process is checking for security with certain administrative tasks for each stage of the keys’ lifecycles. Typically, the process of documenting and proving compliance can be costly and difficult for organizations.
The implementation of proper key management is usually simpler to achieve than trying to keep track of key usage and access through other methods. However, when implementing a key management solution, it is essential to understand what compliance requirements are needed to avoid excessive costs and overhead.
Understanding the Three Domains of Compliance
There are three basic domains of compliance for organizations to achieve compliance.
#1. Physical Security
Physical security requires protecting physical assets from unauthorized access, such as equipping physical hardware with security devices that can be grouped into three distinct types:
- Where tampering is detectable by using security devices like surveillance cameras or motion detectors.
- Where tampering is made physically difficult because the device is tamper-proof like an HSM that is secured.
- Where tampering attempts trigger an alarm or action that is designed to thwart the attempt.
#2. Logical Security
Logical security is crucial in protecting sensitive data and information when used with third-party cloud services. Compliance for logical key management security focuses on:
- Using cryptographic functions and algorithms to protect keys that encode and decode information.
- Using secure segmented architecture that restricts access to information over networks and systems by creating safe data storage locations.
- Developing and updating software that is compliant and follows cryptographic standards when using cryptographic algorithms.
#3. Personnel Security
Accessing sensitive information should be limited to assigned personnel and recorded in a log whenever the information is accessed.
Achieving Compliance with AWS BYOK
Cryptomathic’s AWS BYOK Service provides secure, centralized, and automated key management for AWS KMS which is used across AWS applications. It gives organizations some advantages for achieving compliance through auditability. The audit logs help to demonstrate ownership and control of the root keys and reduce costs and effort in preparing and conducting a compliance audit across the three compliance domains.
By using Cryptomathic’s AWS BYOK Service for AWS cloud applications, the auditing of your cloud service is made much easier to remain in compliance with securing cryptographic keys and the information they protect while using AWS Services.