In our blog article, “Why Deploy Identity and Key Management at the Edge,” we discussed how localizing security functions, such as hardware security modules (HSM), delivers greater control and improves security and performance. We know this is true from our own experiences with our customers that leverage hybrid and multiple cloud platforms. By providing key management capabilities in proximity to data but not directly with it, you can enable a more secure, faster user validation and access to critical data assets. The 451 Research Pathfinder Advisory report, “Key Management as a Service: A Concept for Modern Encrypted Data Requirements,” cites that more and more enterprise workloads are being placed in the cloud, an estimated 60% by 2018. Given these findings, the time has come for digital businesses to leverage key management as a service for protecting and accessing their data in multiple cloud platforms.
Deploying key management as a service in the public cloud gives digital businesses many advantages, including:
- Shifting fixed capex costs to more manageable, usage-based opex costs
- Expediting the spin up of security services in a more agile manner
- Easily maintaining changes and upgrades across multiple cloud services
However, there are some enterprise concerns around cloud-based security that will need to be addressed before more mission-critical workloads can use key management as a service and be safely deployed.
Cloud-based security concerns are on the rise
A Ponemon Institute 2016 survey on enterprise encryption trends lists the most important capabilities that should be considered when selecting any encryption technology solution (see chart below). The more than 4,800 global respondents said two critical features are managing system performance and latency (74%) and management of keys (68%). However, a fragmented approach to either of these across different cloud service platforms in hybrid and multicloud deployments increases risk, especially when cloud security services have a shared fate with other cloud service dependencies. Given these concerns, it’s no surprise that another important feature for an encryption technology solution cited by the Ponemon respondents (69%) was supporting both cloud and on-premises deployments).
Most important features of encryption technology solutions
Source: Ponemon Institute 2017 Global Encryption Trends Study
451 Research’s “Voice of the Enterprise Information Security, Budgets and Outlook 2016” survey results also confirm enterprises’ lack of comfort around how to best securely manage data in the cloud. 451 Research asked enterprise IT professionals to rate the level of their data-related concerns on the following potential issues with hosted cloud solutions. The graphic below illustrates the results:
Data-related concerns regarding hosted cloud
These results reveal a range of enterprise security concerns, including preventing data breaches, maintaining data confidentiality, knowing how and where data is backed up, and effectively controlling and deleting data, especially when it is being shifted between cloud providers and other entities their IT organizations must control.
Given this, 451 Research sees key management as a service is a concept whose time has come. In its recent report commissioned by Equinix, “Key Management as a Service: A Concept for Modern Encrypted Data Requirements,” 451 points out that the requirements for encrypting data for cloud environments are quite different from traditional file and disk encryption. The audit requirements for compliance are more complex to document, and key management operational practices include capabilities such as how to ensure that identity keys can be securely created, distributed, stored and updated.
We agree wholeheartedly with 451 Research when they say that “the key management service provides a control point for accessing encrypted data with flexibility to place the control point on-premises or in the cloud.” One way to accomplish this is to place encryption key management at the traffic exchange point at your company’s digital edge to lower the latency when distributing data across multiple cloud environments. By placing keys in proximity to the data your users need to access, it reduces the time it takes to perform cryptographic operations (e.g., application design requests for keys every time it needs to read and write sensitive data) and accelerates data-related application performance. In addition, deploying key management at the traffic exchange point eliminates the complexity of administering multiple key repositories across multiple private, public, and on-premises and colocated clouds.
According to 451 Research, this supports the functional security and performance tenets for supporting encrypted data for implementation as a cloud service. By deploying key management as a service, your business will be able to quickly and securely move encrypted data between multiple public cloud providers, as well as between multiple private cloud data centers and/or multiple colocation data centers.
You can learn more about enterprise key management as a service requirements and solutions by reading the 451 Research Advisory report: “Key Management as a Service: A Concept for Modern Encrypted Data Requirements, February 2018