Cryptomathic AWS BYOK: Secure Scalability, Durability & Availability

In today’s dynamic business landscape, companies need to be agile with their cloud processes to remain competitive. But at the same time, they must do it securely.

Business has drastically changed towards a much more comprehensive digital user experience over the last few years, and COVID-19 is only one of the many drivers for change. The push for digitalization began before the pandemic and only continued to strengthen throughout the crisis. Coupled with the increased popularity of the cloud, businesses across all sectors need to be agile in today’s dynamically changing business environment. Sectors that deal with security-sensitive data must take extra steps to keep that data safe as it moves back and forth to the cloud and when in use with third-party apps - to remain compliant with regulatory requirements and to protect their assets from malicious actors.

Challenges Businesses Face in the Quest for Agility

Cryptography plays a vital role in meeting the challenges that businesses face as they strive for secure scalability, durability, and availability to remain competitive in their markets. This is where Cryptomathic’s AWS BYOK Service can assist with helping businesses achieve real-world key management requirements by remaining in control of their data and data encryption keys, even when their data is spread out among cloud storage providers, like AWS, hybrid cloud data centers, and third-party digital service providers.

Cryptography can help businesses face the challenges of today’s businesses as they become more agile. These challenges can include:

• Attempting to focus on their customers’ unmet needs or needs their customers do not even realize they want yet. This can be solved by developing and deploying innovative digital solutions. However, without cryptography, there remains a significant risk of data being compromised. This may happen on an individual and larger scale.

• Making their platforms automatically scalable in response to customer growth. This will help avoid problems of availability of services or security problems as new customers access services.

• In providing relevant products and services to their customers, businesses will need open and scalable digital platforms that are enriched by partnerships with third parties. However, they need to ensure that data remains secure.

• Expanding their digital capabilities to meet their customers’ needs and attract new customers, businesses will need to offer more services through open and scalable platforms. However, they also need to maintain the services that attracted their customers in the first place that are now relied upon.

Scalability, Durability & Availability

Cryptomathic’s AWS BYOK Service is a fully managed SaaS key management system that offers scalability and durability and is available for improving control of cryptographic keys used in AWS cloud services.

Scalability

Cryptomathic’s AWS BYOK Service automatically scales to meet the business’s needs as its use for encryption grows. Cryptographic keys can be managed within the service and used whenever they are needed for protecting data in transport to and from cloud services or third-party apps and when data is at rest or archived.

Durability

Cryptomathic’s AWS BYOK Service provides durability for cryptographic keys because even though keys are exported to the AWS KMS, they are backed up and can be updated at any point through the AWS BYOK Service. This also gives users the control to export the data from AWS if needed.  To ensure that the user’s keys and data is highly available, multiple copies of encrypted versions of keys are stored in the system to achieve high durability.

Availability

Cryptomathic’s AWS BYOK Service enables users to inject keys into AWS KMS instantly. AWS KMS will then serve keys to apps for en/decryption. AWS BYOK is not a key server or service for apps like AWS S3. When keys are in use with outside services, a secure copy remains so they are available for use as they are needed. Keys in the AWS KMS are used in a secure execution environment like a CloudHSM. Outside services typically generate Data Encryption Keys (DKE). DKEs are sent to AWS KMS for en/decryption with an AWS KMS key. The decrypted DKE will be stored with the data.

Keeping Keys Secure

Cryptomathic’s AWS BYOK Service ensures that cryptographic keys are kept highly available while remaining secured from unauthorized access, No one can access the plaintext keys from the AWS BYOK Service, including, employees of AWS or third-party app vendors. This service uses hardware security modules (HSMs) that have been validated under FIPS 140-2 level 3 to protect the confidentiality and integrity of the cryptographic keys. The keys are never written to disk and instead are only used in the cloud HSMs’ volatile memory for as long as it takes to perform the requested cryptographic operation.