We’re immersed in the world of security this week at the RSA Conference 2018 in San Francisco. There’s no question that the recent flood of news regarding corporate data security breaches and the need for significantly better policies to protect personal information are just a couple of the reasons why this event could not be more timely and relevant. With tracks spanning the whole spectrum of interests-from the C-suite perspective to critical decisions regarding technology infrastructure-every aspect of security will be covered at the conference. There’s a track on cloud security, and you can be sure cloud will be an underlying theme in several other tracks. As more organizations move to a cloud strategy, a primary concern is how to ensure data in the cloud is managed securely and, more specifically, how and where data and encryption keys are managed in order to minimize the threat of a data breach.
HSM security: Great for on-premise, but need alternatives for the cloud
Organizations that host data and applications on-premise often employ HSM security, the physical hardware security modules that manage keys for authentication and data encryption, and have confidence in the level of security provided. HSMs are typically certified to Common Criteria or FIPS-140-2 standards for product design, implementation, and cryptographic algorithms. Here lies the dilemma, however, because physical placement of additional HSMs across an organization’s multiple dispersed locations to accommodate increased data processing or geographic expansion can be untenable from a logistical or CapEx perspective.
And when you consider the notion of deploying your company’s HSMs on a cloud provider’s physical infrastructure, that too is an impractical solution. Cloud providers serving hundreds or thousands of clients would be unwilling to accommodate placement of HSMs for individual clients throughout their physical infrastructure. It would be akin to going to a fine restaurant and informing the waiter that, although the menu is superb, you prefer to bring your own salad and dessert. In lieu of this, many cloud providers offer an alternative to HSMs in the form of Key Management Service.
Cloud providers offer KMS for encryption keys
Key Management Services (KMS) from cloud providers take the place of an on-premise, physical HSM by providing a service to create and control keys used to encrypt cloud-based data. Compared to on-premise data security management, the convenience is appealing, eliminating the cost and overhead of provisioning and managing HSMs. However, there are drawbacks: Having both encryption keys and data in a shared environment/infrastructure increases the risk of a harmful data breach. As a best practice, you want to separate encryption keys from encrypted data to provide an added level of defense. In the event a hacker finds the keys, they won’t know which doors they open. If the hacker is standing at the door, they won’t know where to find the key.
Another consideration regarding a provider’s KMS is the need to work well in heterogeneous cloud environments. Your environment may be similar to that of many other organizations: a combination of public, private, hybrid, or multi-cloud environments needed to support globally-distributed operations and/or mixed applications. In such situations, you’ll need to determine whether the provider’s KMS can support your unique cloud environment. Does the provider’s KMS only work for data and applications hosted in their own cloud environment? If the KMS needs to be accessed from other cloud environments or applications, how easily is that accomplished? Ideally, you’ll want an encryption key service that is cloud-neutral-in other words, one that is supportive of heterogeneous cloud environments-to allow you to take advantage of the wealth of services offered by major cloud providers like AWS, Azure, and Google.
HSM-as-a-Service for cloud environments
While KMS offers encryption key management for the cloud, their proprietary nature could hinder integration with other systems, while the proximity of data and encryption keys could compromise security. Software KMS systems also lack the more rigorous security protections of HSMs. It would be ideal if HSM security could be provided as a service to manage authentication and encryption key resources for heterogeneous cloud environments.
HSM-as-a-Service provides secure encryption key management for the cloud and on-premise, giving you confidence that your data is securely stored and protected. More importantly, it’s point and click when used as-a-service, which means there’s no need to be concerned with or experience time lost in the ordering, physical placement, or provisioning of HSM hardware in multiple locations or geographies. It can be easily scaled to support additional data volumes and processes as well as geographic expansion. For optimum efficiency, encryption keys are provisioned “at the digital edge” to reduce latency, yet the keys remain separate from encrypted data to provide an added level of defense against harmful data breaches. To accommodate heterogeneous cloud environments, HSM-as-a-Service, being cloud-neutral, can protect data in public, private, hybrid, or multi-cloud environments.
HSM security, KMS flexibility, or best of both
HSM-as-a-Service combines the security of legacy, on-premise HSMs with the convenience, ease of use, and self-service offered by a cloud environment. When comparing all options side by side, the simplicity of implementation without sacrificing security is apparent. HSM-as-a- Service can help you move your sensitive data to the cloud with confidence.
|HSM||KSM on Cloud||HSM as a Service|
– Doesn’t easily scale
|+ Easy implementation|
– Data & keys together
– Not neutral
|+ Easy implementation|
+ Data & keys separate
+ Cloud neutral
If you’re facing the challenge of moving to the cloud and your data and applications rely upon HSM hardware or key management software, stop by Equinix’s booth, 2440 South Expo, at RSA to discover how SmartKey, available as an HSM-as-a-Service, provides secure key management and cryptography services to protect data in your cloud environment. As a service offered on cloud-neutral Platform Equinix™, provisioning is easy. How easy? Find out by starting your free trial today.