Secure BYOK for AWS Simple Storage Services (S3)

Cloud storage via AWS Storage Services is a simple, reliable, and scalable way to store, retrieve and share data. As a third-party cloud vendor, AWS manages and operates the data storage as a service. Because the data is delivered on demand using JIT capacity and costs, it eliminates having to buy and manage your own infrastructure for storing data. This service supplies anytime, anywhere data access which gives agility, durability, and global scalability for users. To maintain compliance with major industry standards like GDPR, HIPAA, PCI-DSS while harnessing the advantages of cloud storage, this article suggests a bring your own key solution with automated audit features.

How Does AWS Storage Services Work?

AWS Storage Services manages capacity, security, and durability to make user data accessible to their applications around the globe. The cloud storage is accessed by the applications via traditional storage protocols or directly through an API.

Amazon Simple Storage Service (S3) offers object storage allowing applications developed in the cloud the benefits of its vast scalability and metadata characteristics. S3 is ideal for building applications from scratch. But it can also be used to import existing data stores to analyze, backup or archive.

The benefits of storing data in the cloud using third-party AWS Storage services like S3 include:

1. Total Cost of Ownership

Cloud computing has a beneficial impact on total cost of ownership in several ways, including not needing to buy hardware to store data, only paying for the storage that is used, economies of scale, and increased agility.

2. Information Management

It is possible to perform powerful information management tasks like locking down data to meet compliance requirements or automated tiering using cloud storage lifecycle management policies.

3. Time to Deployment

Infrastructure or lack thereof can be a roadblock for development teams who are ready to execute. By storing data in the cloud, the exact amount of storage needed is available when it is needed.

Fundamental Requirements for Cloud Storage

It is essential to ensure that the user’s critical data is kept safe, secure, and available when needed. There are several fundamental cloud storage requirements to consider when using cloud storage like AWS S3.

• Durability. To prevent data loss, whether by human error, natural disaster or mechanical faults, data should be redundant. The data should be redundantly stored.
• Availability. All data should be made available when it is needed. However, there is a difference between production data and archives.
• Security. Data should be encrypted while it is at rest and in transit because of the increased risk of unauthorized access. It is critical that access controls and permissions work as well in the cloud as well as they do for on-premise storage.

Cryptomathic’s Secure BYOK Service for AWS Storage Services like S3

With Cryptomathic’s AWS BYOK Service, keys are managed throughout their life cycle beginning with creation and ending with destruction. BYOK’s root key is stored within a cloud-based FIPS 140-2 Level 3 HSM. When it is used for an AWS service like S3, the user’s application key is stored on an AWS HSM. But instead of the root key being under the control of AWS or another third party, it stays under the control of Cryptomathic’s AWS BYOK Service. Thus, the root key is kept secured, managed and protected from third-party access.

Combining Ease of Use and Security

Traditionally, industry-grade security required local data centers and sophisticated infrastructure. Cryptomathic has disrupted this by applying its years of experience in pioneering cybersecurity infrastructure that is used by governments and banks.

By pairing Cryptomathic Key Management Technology with AWS Cloud Storage and S3, users get the best of both worlds with:

Industry-grade security

• Cryptomathic Key Management Technology securely manages the life cycle of root keys (key encryption keys KEK).
• Maintains compliance with industry standards like GDPR, HIPAA, PCI-DSS and more.
• Documented compliance and auditability through downloadable reports, such as information and logging of system keys, and changes with time stamps.
• Operation from the EU in a SOC 2 data center.

Ease of use

AWS Cloud Services offers ease of use through:

• On-demand subscription model.
• Easy and rapid ramp-up and deployment of the solution.
• Comfortable easy-to-use user interface.
• No long-term binding contracts.

Why Integrate Cryptomathic’s AWS BYOK Service for AWS Storage Services?

Cryptomathic’s AWS BYOK Service is designed to keep data protected and out of the reach of unauthorized third parties, including AWS employees when retrieving user plaintext keys. These keys are never written to the disk. Instead, they are only used in volatile memory in the HSM. The user keeps a secure copy of the root keys, where the keys can be re-imported or exported when needed.

Using Cryptomathic’s AWS BYOK Service for AWS S3 offers the highest level of control over the permissions and lifecycle of the users’ keys. AWS S3 provides users with the scalability of their databases while Cryptomathic allows for automatic scaling to manage multiple keys and use when needed to keep keys secure.