This article discusses how Cryptomathic’s AWS BYOK Service delivers expanded security to protect cryptographic keys while using AWS cloud applications.
Control matters! Anyone who can access your plaintext keys can take control of those keys, similar to handing your vehicle’s key fob to a valet and he or she takes it for a joyride. Even while using AWS, it is more secure to maintain control over your keys, as they are used to transport data and protect it while it is in a resting state. Using Cryptomathic’s AWS BYOK Service gives users peace of mind with its expanded security.
Protecting Key Confidentiality and Integrity
Using Cryptomathic’s AWS BYOK Service prevents anyone, including AWS employees, from retrieving your plaintext keys from their services. The confidentiality and integrity of your keys are protected by hardware security modules (HSMs) that have been validated according to FIPS 140-2 level 3 standards.
Your plaintext keys are only used in the HSM’s volatile memory only for as long as it takes to perform your requested cryptographic operation. Your keys stored and managed within the HSM are never written to AWS disks, regardless of what AWS service you are using them with.
Key Ownership/Control vs Usage vs Possession
It is important to understand the differences between key ownership/control vs usage vs possession despite the confusion that exists over the lack of standardization among key management systems. First, owning a key does not guarantee that privacy is absolute. Protection of key privacy lies with whomever or whatever is in possession of the keys.
When you share your keys with a cloud service provider, such as AWS, you must understand that the provider can access your data protected by the keys in order to process said data. This is, of course, unless you have taken other steps to prevent this from happening, such as putting more emphasis on security toward possession and usage of encryption keys versus ownership and control, which is essential for security.
Cryptomathic’s AWS BYOK Service
Cryptomathic’s approach to the BYOK concept is along the lines of “manage your own key” (MYOK) where key management works by managing the key throughout its entire life cycle from creation to destruction. With this approach, the root keys then stay under the complete control of their owner and not a third-party service provider.
Cryptomathic’s AWS BYOK Service is designed in such a way that no one can retrieve users' plaintext keys for the service. The plaintext keys are never written to the disk. Instead, they are used only in volatile memory in the HSMs. When important keys are in AWS, the user maintains a secure copy where it can be re-imported when needed.
Available as an on-demand service, Cryptomathic's AWS BYOK Service provides the highest level of control over the permissions and lifecycle of the users’ keys. To protect the integrity and confidentiality of users’ cryptographic keys, the service utilizes hardware security modules (HSMs) that are validated under FIPS 140-2 Level 3.