In this article we will look at integration points and explain why it is important that a key management system is able to integrate with a number of applications across various environments (in-house data centers and public clouds).

Banks and financial institutions are increasingly feeling the pressure to migrate IT services from on-premise, self-managed data-centers to public cloud services. There are significant advantages in cloud computing like native elasticity and resilience. It can also help to reduce costs through outsourcing non-critical services into metered on-demand cloud environments. These advantages align well with modern goals for rapid and agile development and delivery of products and services, to differentiate banks and others from their competition.

On the other hand, critical processes like financial transactions, card payments or PII data such as the customers’ risk assessment data will probably not migrate to the cloud anytime soon. These core services will rather remain in a highly protected in-house data center.

Hybrid IT Landscapes

Such a blend of cloud and data center environments in a nationally or globally distributed network of banking locations leads to decentralized, hybrid IT landscapes. 

New Call-to-action

To secure the data, cloud computing platforms have previously proposed cloud-based security with cloud-based key management. But with this approach for hybrid- or multi-clouds, the bank immediately loses all ownership and control over keys and data. 

Some of the security risks in such hybrid architectures are highlighted and described in the article “Migrating Business-Critical Cryptography to the Cloud - Considerations for the Banking Sector”.

These risks include:

  • Data Security and Privacy concerns
  • Risk of Vendor Lock-in (hardware and software)
  • Dilemma of key ownership in Public Clouds
  • Auditability and Compliance

Lots of startups are appearing in the market with value propositions around key management in the cloud, teaming up with the big cloud players, but behind all the marketing communication, there is no actual value proposition of crypto-agility and avoiding vendor lock-in.

Our judgement is clear and unambiguous:

Cloud-Based Key Management Does Not Do The Job

Banks and financial institutions need something more holistic and all embracing.

Banking-Grade Key Management in a Hybrid-cloud Environment

We now look at how key management in a hybrid- or multi-cloud scenario should be conceived to ensure data security & privacy; retain the liberty to change cloud platform providers; keep ownership and control over the keys and enable auditability for proof of compliance with centrally available audit logs.

Typical Banking Landscape

New Call-to-action

In banking or business-critical cryptography, we can differentiate between three different areas:

  1. The applications that require access to keys to perform a cryptographic operation.
  2. The device where the keys are stored and used to perform the cryptographic operation. This is typically a hardware security module (HSM).
  3. The system that controls and manages the lifecycle of the most important keys. This is commonly known as a crypto key management system (CKMS).

These three areas need to be integrated to create one highly secure process.

Such a process requires integration points.

Integration points refer to the end-to-end integration between the CKMS (which manages the lifecycle of keys) and the application or HSM that uses the key. Each aspect needs to be considered in a crypto process - from legacy banking to hybrid-cloud environments (public clouds / private cloud or Datacenter), when integrating a new key management system into a banking environment or migrating from one key management system to another.

Seamless banking grade key management from the data center to the cloud

Figure: CKMS in the data center with multiple integration points

A good CKMS shall be able to provide off-the-shelf and proven integration points to all of the infrastructures and applications shown above. 

Read white paper 

But a CKMS should not only be a system for flexibility with respect to changing the deployment environment, meaning the freedom to replace cloud or data center, or to replace an HSM from vendor one or with an alternative from vendor two - a future-proof solution should also enable crypto-agility (i.e. the capability to make changes to cryptographic parameters, such as the algorithm or key length, without changing the application code). .

Even if not all the above presented variations are currently present in a bank, they might come in the future, potentially triggered by a new application or new regulations.

The key management system should not be the reason for renouncing that change.

Summary, Bigger Picture and Outlook

In this article we had a look at the most important cryptographic integration points in a banking IT landscape and emphasized the central role of a key management system in integrating the various areas in data centers and in the cloud.

Our focus was set on the typical applications using hardware security modules (HSM) in a banking environment.

A key management solution must control more than just the entire lifecycle of keys while maintaining compliance to international banking regulations and PCI standards - in an ideal scenario, a solution should also provide crypto-agility for any application. 

Download white paper

References

Want to know how we can help ?

Get in touch to better understand how our solutions secure ecommerce and billions of transactions worldwide.