In this article, we will look at integration points and explain why it is important that a key management system is able to integrate with a number of applications across various environments (in-house data centers and public clouds).
Banks and financial institutions are increasingly feeling the pressure to migrate IT services from on-premise, self-managed data centers to public cloud services. There are significant advantages in cloud computing like native elasticity and resilience. It can also help businesses cut expenses by outsourcing non-critical services into metered on-demand cloud environments. These advantages align well with modern goals for rapid and agile development and delivery of products and services, to differentiate banks and others from their competition.
On the other hand, critical processes like financial transactions, card payments or PII data, such as the customers’ risk assessment data, will probably not migrate to the cloud anytime soon. These core services will rather remain in a highly protected in-house data center.
Hybrid IT Landscapes
Such a blend of cloud and data center environments in a nationally or globally distributed network of banking locations leads to decentralized, hybrid IT landscapes.
Cloud computing platforms have previously proposed cloud-based security with cloud-based key management to protect the data. But with this approach for hybrid- or multi-clouds, the bank immediately loses all ownership and control over keys and data.
Some of the security risks in such hybrid architectures are highlighted and described in the article “Migrating Business-Critical Cryptography to the Cloud - Considerations for the Banking Sector”.
These risks include:
- Data Security and Privacy concerns
- Risk of Vendor Lock-in (hardware and software)
- Dilemma of key ownership in Public Clouds
- Auditability and Compliance
Lots of startups are entering the market with value propositions around key management in the cloud, teaming up with the big cloud players, but behind all the marketing communication, there is no actual value proposition of crypto-agility and avoiding vendor lock-in.
Our judgment is clear and unambiguous: Cloud providers should not have full control of the encryption keys that are used in the cloud.
Banks and financial institutions need something more holistic and all-embracing.
Banking-Grade Key Management in a Hybrid-cloud Environment
We now look at how key management in a hybrid- or multi-cloud scenario should be conceived to ensure data security & privacy; retain the liberty to change cloud provider; keep ownership and control over the keys, and enable auditability for proof of compliance with centrally available audit logs.
Typical Banking Landscape
In banking or business-critical cryptography, we can differentiate between three different areas:
- The applications that need access to private and secret keys to perform a cryptographic operation.
- The device stores the keys and is utilized to perform the cryptographic operation. Typically, this is a hardware security module (HSM).
- The system that controls and manages the lifecycle of the most important keys. This is commonly known as a crypto key management system (CKMS).
These three areas must be merged to form a single highly secure system.
Such a process requires integration points.
Integration points refer to the end-to-end integration between the CKMS (which manages the lifecycle of keys) and the application or HSM that uses the key. Each aspect needs to be considered in a crypto process - from legacy banking to hybrid-cloud environments (public clouds / private cloud or Datacenter), when integrating a new key management system into a banking environment or migrating from one key management system to another.
Figure: CKMS in the data center with multiple integration points
A good CKMS shall be able to provide off-the-shelf and proven integration points to all of the infrastructures and applications shown above.
But a CKMS should not only be a system for flexibility with respect to changing the deployment environment, meaning the freedom to replace cloud or data center, or to replace an HSM from vendor one or with an alternative from vendor two - a future-proof solution should also enable crypto-agility (i.e. the capability to make changes to cryptographic parameters, such as the algorithm or key length, without changing the application code).
Even though not all of the above-presented variations are currently present in a bank, they may appear in the future, potentially triggered by a new application or new regulations.
The key management system should not be the reason for renouncing that change.
Summary, Bigger Picture and Outlook
We looked at the most important cryptographic integration points in a banking IT landscape and emphasized the central role of a key management system in integrating the various areas in data centers and in the cloud.
Our focus was on common applications using hardware security modules (HSM) in a banking environment.
A key management solution must control more than just the entire lifecycle of keys while maintaining compliance to international banking regulations and PCI standards - in an ideal scenario, a solution should also provide crypto-agility for any application.
- Selected articles on Key Management in the Cloud (2017-today) by Matt Landrock, Rob Stubbs, Stefan Hansen, Ulrich Scholten, Joe Lintzen and more
- Key Management in a Multi-Cloud Environment - A blessing or a curse? (2017), by Johannes “Jo” Lintzen
- Moving to the Cloud - Key Considerations (2016), by KPMG
- A CIO's guide to cloud computing investments (2019), by TechTarget
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a key management system (2018), by Rob Stubbs
NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker
Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Peter Landrock, Peter Smirnoff, Rob Stubbs, Stefan Hansen and more
CKMS Product Sheet (2016), by Cryptomathic
White Paper – Deploying CKMS Within a Business (2017), by Cryptomathic
Case Study – Swedbank (2017), by Cryptomathic
- Perspectives for Web Service Intermediaries: How Influence on Quality Makes the Difference (2009), by Ulrich Scholten, Robin Fischer and Christian Zirpins