3 min read

Banking-grade Key Management: From On-premises to Multi-cloud BYOK

Banking-grade Key Management: From On-premises to Multi-cloud BYOK

In this article, we will look at integration points and explain why it is important that a key management system is able to integrate with a number of applications across various environments (in-house data centers and public clouds).

Banks and financial institutions are increasingly feeling the pressure to migrate IT services from on-premise, self-managed data centers to public cloud services. There are significant advantages in cloud computing like native elasticity and resilience. It can also help businesses cut expenses by outsourcing non-critical services into metered on-demand cloud environments. These advantages align well with modern goals for rapid and agile development and delivery of products and services, to differentiate banks and others from their competition.

On the other hand, critical processes like financial transactions, card payments or PII data, such as the customers’ risk assessment data, will probably not migrate to the cloud anytime soon. These core services will rather remain in a highly protected in-house data center.


Hybrid IT Landscapes

Such a blend of cloud and data center environments in a nationally or globally distributed network of banking locations leads to decentralized, hybrid IT landscapes. 

New Call-to-action

Cloud computing platforms have previously proposed cloud-based security with cloud-based key management to protect the data. But with this approach for hybrid- or multi-clouds, the bank immediately loses all ownership and control over keys and data. 

Some of the security risks in such hybrid architectures are highlighted and described in the article “Migrating Business-Critical Cryptography to the Cloud - Considerations for the Banking Sector”.

These risks include:

  • Data Security and Privacy concerns
  • Risk of Vendor Lock-in (hardware and software)
  • Dilemma of key ownership in Public Clouds
  • Auditability and Compliance

Lots of startups are entering the market with value propositions around key management in the cloud, teaming up with the big cloud players, but behind all the marketing communication, there is no actual value proposition of crypto-agility and avoiding vendor lock-in.

Our judgment is clear and unambiguous: Cloud providers should not have full control of the encryption keys that are used in the cloud.

Banks and financial institutions need something more holistic and all-embracing.


Banking-Grade Key Management in a Hybrid-cloud Environment

We now look at how key management in a hybrid- or multi-cloud scenario should be conceived to ensure data security & privacy; retain the liberty to change cloud provider; keep ownership and control over the keys, and enable auditability for proof of compliance with centrally available audit logs.


Typical Banking Landscape

New Call-to-action

In banking or business-critical cryptography, we can differentiate between three different areas:

  1. The applications that need access to private and secret keys to perform a cryptographic operation.
  2. The device stores the keys and is utilized to perform the cryptographic operation. Typically, this is a hardware security module (HSM).
  3. The system that controls and manages the lifecycle of the most important keys. This is commonly known as a crypto key management system (CKMS).

These three areas must be merged to form a single highly secure system.

Such a process requires integration points.

Integration points refer to the end-to-end integration between the CKMS (which manages the lifecycle of keys) and the application or HSM that uses the key. Each aspect needs to be considered in a crypto process - from legacy banking to hybrid-cloud environments (public clouds / private cloud or Datacenter), when integrating a new key management system into a banking environment or migrating from one key management system to another.


Seamless banking grade key management from the data center to the cloud

Figure: CKMS in the data center with multiple integration points

A good CKMS shall be able to provide off-the-shelf and proven integration points to all of the infrastructures and applications shown above. 

CSG Achieving Real-World Crypto-Agility

But a CKMS should not only be a system for flexibility with respect to changing the deployment environment, meaning the freedom to replace cloud or data center, or to replace an HSM from vendor one or with an alternative from vendor two - a future-proof solution should also enable crypto-agility (i.e. the capability to make changes to cryptographic parameters, such as the algorithm or key length, without changing the application code).

Even though not all of the above-presented variations are currently present in a bank, they may appear in the future, potentially triggered by a new application or new regulations.

The key management system should not be the reason for renouncing that change.


Summary, Bigger Picture and Outlook

We looked at the most important cryptographic integration points in a banking IT landscape and emphasized the central role of a key management system in integrating the various areas in data centers and in the cloud.

Our focus was on common applications using hardware security modules (HSM) in a banking environment.

A key management solution must control more than just the entire lifecycle of keys while maintaining compliance to international banking regulations and PCI standards - in an ideal scenario, a solution should also provide crypto-agility for any application. 


Download white paper