Most people will probably agree that encrypting your sensitive data is the right thing to do. Not only is it the technique of choice to meet multiple compliance mandates, depending on the market your business operates in, this might be PCI, HIPAA, NERC-CIP or more general regulations like GDPR or PSD2. Encryption also helps you to achieve a higher level of resilience against data breaches and ultimately protects your organization from the impacts on reputation and the costs involved.
However, your encryption efforts are often weakened if your key management procedures aren’t designed to support your business operations or - even worse - if you don’t plan ahead and implement key management best-practices from the get-go.
One of those best practices is to use Hardware Security Modules (HSMs) to generate and protect all your secret keys, certificates and to run all your crypto operations inside of the physical security boundary of an HSM, so as to never expose your key material in the clear in application or server memory, where it of course would be susceptible to an attack.
The use of HSMs is however only one building block of a successful encryption strategy.
Equally important is to design and implement strong key management practices which follow regulatory requirements and support your unique workflows and business requirements. Often overlooked, it also involves to designate staff, actual people, who understand the importance of key management procedures and how to establish those into everyday business operations.
One may argue the challenges resulting from these necessities had already been enormous when organizations were used to having all of their critical systems on-site in their own data centers. Remember the days? Those were the heydays of protecting your perimeter by means of logical and physical countermeasures.
Today, more and more of your workloads are being run in “someone else’s data center” AKA “the cloud” - so, your key management challenges become even more daunting. Even more so, with diverse requirements for your applications to run in “the cloud”, more likely than not will you end up with a multi-cloud - some call it strategy, I like to refer to it as more of a situation; a situation you are faced with and have to deal with rather than something you can influence and choose - like a strategy.
For organizations in this position, key management for multi cloud might feel like an actual curse.
By moving into the cloud, you already put a lot of trust into the cloud service providers by handing over your sensitive data. Over time, all of the service providers have started to offer their own flavor of “BYOK - Bring your own Key” initiatives to address those concerns. In and by itself a great step in the right direction. One thing all of those initiatives have in common though, is that now you are trusting that same entity not only with your sensitive data but also with your secret keys, required to unscramble the data. In real life, there is the notion of “don’t put all your eggs in the same basket” many of us generally follow to manage our risk.
However, with our critical data we are less concerned or even ignore the associated risks? With this becoming a potential problem, PCI SSCs latest Cloud Guidelines also “recommend that cryptographic keys used to encrypt/decrypt sensitive data be stored and managed independently from the cloud service where the data is located”.
Luckily, there is the option of taking a slightly different approach by leveraging third party providers who offer multi-cloud solutions which will actually enable you to not only “Bring” your own key but you can take a step beyond that and start to “Manage Your Own Key - MYOK”.
Ultimately, this step can enable your business to fully leverage the promise of migrating to the cloud and you can free your apps to run crypto operations in a flexible and highly secure manner.
Talk to our experts and we can discuss options on how to turn your multi-cloud situation into a blessing.
References and Further Reading
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a key management system (2018), by Rob Stubbs
NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker
Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
CKMS Product Sheet (2016), by Cryptomathic
White Paper – Deploying CKMS Within a Business (2017), by Cryptomathic
Case Study – Swedbank (2017), by Cryptomathic