Today, multiple IT megatrends, including mobility and cloud adoption, are simultaneously and fundamentally changing how corporate data is stored, accessed and secured, challenging perimeter-centric security models and complicating compliance with industry regulations. At the same time, the threat landscape continues to evolve with bad actors employing new attack vectors and methods and internal threats exercising new data exfiltration techniques. But one constant remains: Security should be applied as close to the data as possible, and especially relevant consideration for data stored by cloud services in physical locations into which the customer lacks visibility and control.
Encryption is a process that uses algorithms to encode data as ciphertext. This ciphertext can only be made meaningful again if the person or application accessing the data has the data encryption keys necessary to decode the ciphertext. So, if the data is stolen or accidentally shared, data encryption ensures that it is protected by being indecipherable.
Controlling and maintaining data encryption keys is an essential part of any data encryption strategy. With the encryption keys, a cybercriminal can return encrypted data to its original unencrypted state. An encryption key management system includes the generation, exchange, storage, use, destruction and replacement of encryption keys.
What is Bring Your Own Keys (BYOK)?
Whilst cloud computing offers many advantages, a major disadvantage has been security, as data physically resides with the Cloud Service Provider (CSP) and is out of the direct control of the owner of the data. For enterprises that elect to use encryption to protect their data, securing their encryption keys is of paramount importance.
Bring Your Own Key (BYOK) is an encryption key management system that allows enterprises to encrypt their data and retain control and management of encryption keys. However, some BYOK plans upload the encryption keys to the CSP infrastructure. In these cases, the enterprise has once again forfeited control of its keys.
A best-practice solution to this “Bring Your Own Key” problem is for the enterprise to generate strong keys in a tamper-resistant Hardware Security Module (HSM) and control the secure export of its keys to the cloud, thereby strengthening its key management practices.
Why is BYOK Important?
BYOK enables organisations to retain control of their own data, with cloud vendors encrypting customer data using a customer-provided key rather than a generic one.
BYOK uses a key-encryption key which then wraps the cloud vendor keys, meaning that the customer can then rotate and expire keys as required rather than the cloud provider having control.
This is especially important for Law Firms, as many Financial Services clients require firms to control and manage their own encryption keys in cloud services.
Can you set up BYOK using the cloud vendor’s key manager?
Yes, both Microsoft and Amazon offer HSM backed key management. But it is up to the customer to properly manage the keys and backups as key rotations are manual.
To address these challenges, cloud providers have introduced support for Bring Your Own Key (BYOK) that allows organisations to encrypt data inside cloud services with their own keys whilst continuing to leverage the cloud provider’s native encryption services to protect their data.
Even with BYOK, keys still exist in the cloud providers’ key management service. However, because keys are now generated, escrowed, rotated and retired in an on-premises Hardware Security Module (HSM), BYOK helps organisations to address compliance and reporting requirements more fully. Another benefit is that companies can ensure cryptographic keys are generated using a sufficient source of entropy and are protected from disclosure.
While BYOK offers increased control, it also comes with additional key management responsibilities that are magnified in multi-cloud environments. Every cloud provider has its own set of APIs and its own cryptographic methods for transporting keys.
How do you know the cloud vendor can’t access your data with your keys?
Encrypted key generation is done within an on-premises secure HSM and the key stays encrypted until it is transferred to the key vault of the cloud vendor, meaning that the target key always remains within the HSM protection boundary and therefore is not accessible to the cloud vendor.
Is it possible to use one platform to manage multiple cloud keys?
Simply put, yes but ensure that the platform can support all your required cloud platforms.
What are the benefits of using a single platform to manage multiple cloud keys?
Cloud key management may be considered in various ways:
- Logging into each cloud console and managing cloud keys created by the cloud provider
- Finding a source to generate keys and then using cloud provider CLI commands to download wrapping keys and upload wrapped keys
Across multiple clouds and multiple workloads, each requiring its own master key, the above steps can become cumbersome. Having a single platform to manage multiple cloud keys allows for centralised encryption key management, presenting all supported clouds and multiple cloud accounts in a single browser tab.
One key benefit means that training for users is done for just one platform, not multiple platforms with different user interfaces thereby preventing there being a single point of failure.
What can you encrypt with your own keys?
Keys can be used to encrypt a variety of data, examples include, but are not limited to:
- Azure Data ‘At Rest’ – Storage encryption, Bitlocked, Office 365 Service Encryption
- Azure data ‘in use’ SQL online
- AWS data ‘at rest’ in applications and VMs
- File and folder encryption
What happens when we want to exit a cloud contract?
By retaining control of encryption keys you can expire access to keys as required. This renders data useless if you decide to move away from a particular cloud vendor or application.
Are there any risks associated with a key manager which do not exist when you go directly with the SaaS companies?
By directly relying on the SaaS vendor to do everything in relation to key management, it provides the business with no control over their own keys. By utilising key management software, it is highly certified plus the business is in control of their own keys.
While many cloud service providers (CSPs) offer native encryption, that capability, in and of itself, does not address all use cases or compliance requirements. Co-located encryption keys provide access to encrypted data and raise questions and concerns over separation of duties, lack of dual controls between data and keys, operational aspects of key management including key rotation, deactivation and more. For these and many other reasons, industry best practices, such as those from the Cloud Security Alliance, simply state that encryption keys should be held remote from the cloud provider. If the CSP holds the keys, then the customer should be rightfully concerned about what happens in the case of a court serving the CSP a subpoena requiring access to the data. Key management and clarity on which party—the CSP or the customer—should be the custodian of the keys is an important factor for security professionals given prescribed guidelines and regulatory requirements.
How do you avoid a key person dependency or rogue admin holding the company to ransom on their data?
By utilising a key manager, the end-user company never has root access, with only the key management company having access to the backend of the system.
Some of the key things to ensure are:
- Retain regular backups of the keys which are kept offsite
- Ensure more than 1 person is managing the key manager to prevent a single point of failure
If a rogue admin does access the Cloud Key Manager console it will not have an impact on the cloud services.
How Mobliciti can help
At Mobliciti, we partner with innovative technology which enhances and improves efficiency for businesses. The Thales CipherTrust Cloud Key Manager (CCKM) solution can be deployed on-premises, in private cloud environments or instantiated in public cloud environments, as a shared Amazon Machine Image (AMI), from the Azure or Azure Stack Marketplace. CCKM also offers customers several choices for key sources including the CipherTrust Manager and the Vormetric Data Security Manager. CCKM and its key sources offer easy-to-use graphical user interfaces to remove much of the complexity often associated with key management. The result is centralised key management across multiple cloud services that can simplify compliance and regulation audits for PCI DSS, FISMA, HIPAA and GDPR.
These flexible deployment options represent a notable consideration for organisations evaluating key management solutions for cloud-resident data. Some customers can opt for the efficiencies of a full or partial cloud deployment, others can choose the on-premises option when custodianship of the keys is a requirement for internal security policies or compliance considerations. All options are single-tenant, including cloud deployment, which keeps key control in the hands of the customer with the cloud service provider having no access to either the management plane or the key source/vault. Get in touch to find out more.