Should You Use a Key Management Service with Multicloud Environments?

Imam Sheikh

Very soon, cloud computing will be mainstream, as ubiquitous and commonplace as the internet and mobile phones. The RightScale State of the Cloud Report™ indicates 81 percent of enterprises currently have a multicloud strategy. If you’re responsible for transitioning your organization from on-premise IT operations to some form of cloud computing, critical decisions made today will impact your long-term strategy. You have options for private, public and hybrid cloud configurations. You also have options in choosing a cloud provider: Amazon, Google, Microsoft, IBM and Oracle all offer a wide range of IaaS, PaaS and SaaS capabilities. However, it’s rare to find a single provider that meets all of an organization’s needs. As a result, multicloud and hybrid cloud environments are a reality for many organizations.

As you transition from on-premise computing to cloud computing, securing your data in the cloud is paramount. Since encryption is a preferred way to secure data, encryption key management is a critical concern. Cloud providers have responded to this need with two options: a hardware security module (HSM) or a key management service (KMS). Each approach features benefits and drawbacks.

While HSMs provide secure on-premise encryption key management, widespread cloud deployment makes purchasing, installing and maintaining HSMs almost impractical. As an alternative, some cloud providers may assume responsibility for provisioning HSMs of their choice in their own data centers. On the other hand, a key management service doesn’t depend on hardware to manage encryption keys and is therefore easily provisioned within the cloud provider’s environment, though it provides a less robust level of security than a physical HSM.

Let’s look at both approaches in greater detail, keeping in mind the reality of multicloud/hybrid cloud environments and the importance of securing your data with a HSM. The latter is particularly important if your data and operations are governed by regulations such as HIPAA, PCI, PII or GDPR.

Key management service-a software approach

A key management service is a software-only approach that allows the client to create and manage the encryption keys used to protect sensitive data held in the cloud. Encryption keys reside within the cloud provider’s infrastructure and are accessible only by the client. Provided on an as-a-service basis, a KMS exploits the proven capabilities of the cloud: centralized management, scalability as data and processing demands increase, high availability, low-latency processing and a consistent means of managing encryption keys within the provider’s environment.

However, a key management service by itself does not inherently provide a level of security equal to that provided by an HSM. That shortcoming, coupled with the limitations of a KMS working nicely within the cloud provider’s environment, makes the feasibility of this approach problematic, particularly for organizations needing to manage encryption keys across multiple, disparate regions, countries or services. Additionally, when both encryption keys and data are held by the same entity-the cloud provider, in this instance-there’s an added level of risk. Best practices recommend keeping encryption keys and data separate to reduce the possibility of a damaging data breach.

Hardware security modules to underpin KMS

To strengthen their KMS offering, some cloud providers underpin their KMS with HSMs located in their data centers. While this approach provides a better level of encryption key security, the combination of KMS and HSM can only work exclusively within the cloud provider’s region and still has the disadvantage of keeping keys and data stored in the same environment.

HSMs are selected, provisioned and physically maintained by the cloud provider. Because the HSMs are located in the provider’s data centers, the inherent benefits include scalability, high availability and low latency, which makes them a flexible option for organizations with high levels of growth. As with a KMS, however, HSM applicability is limited to the cloud provider’s environment and does not support multicloud operations.

Combine HSM security with multicloud flexibility

Organizations face a tough choice, given the potential security shortcomings of a KMS and the provisioning challenges of an HSM-not to mention their inability to work outside of the cloud provider’s environment. Given all that, what’s the best way to manage encryption keys in multicloud environments, especially those that extend globally to multiple, disparate regions and countries? Those companies that want to maintain the security level provided by on-premise HSMs while taking advantage of the superb resources and services offered by major cloud providers are in search of an option that encompasses the following criteria:

  • Cloud-neutral to support multicloud and hybrid cloud environments and simplify the provisioning and control of encryption keys across these environments.
  • Globally available with connectivity close to cloud providers to minimize latency, optimize performance and the ability to maintain data and encryption keys at the digital edge.
  • Separation of keys and data to provide an additional level of defense against data breaches and to comply with data sovereignty regulations.
  • A private and secure HSM as a Service that provides the security level of a physical on-premise HSM, eliminates the complexity of HSM provisioning and is available in a distributed cloud environment.

With a cloud-neutral HSM as a Service, organizations employing multicloud and hybrid cloud environments or operating globally can find a simple and accessible solution to encryption key management without sacrificing security. Keeping encryption keys separate from but close to the encrypted data provides an added level of protection from data breaches while reducing latency. HSM as a Service offers the best of both technologies, providing the benefits of HSM-level security while operating within the flexibility of a multicloud environment.

The cloud has more than proven itself-economically and operationally-by allowing organizations of all sizes to focus on core competencies while transferring responsibility for IT infrastructure, connectivity and management to cloud providers who excel at developing and delivering these services. Regardless of the cloud strategy adopted-private, public or hybrid-encryption key management remains a critical concern and has unique challenges for organizations employing multiple cloud providers. HSM as a Service is designed and architected to address these unique needs. When looking for the best method of managing encryption keys in a multicloud and hybrid cloud environment, consider a free trial of Equinix SmartKey to learn how HSM as a Service can meet your needs.