It’s the rare individual who hasn’t been affected by a data breach. From a financial perspective, the personal impact can be devastating. The time and effort required to rectify the situation also take a toll, while the impact—financial and reputational—on organizations whose ability to protect data has been compromised is also significant. According to the 2017 Ponemon Institute Cost of Data Breach Study, the average cost to organizations of a stolen record containing conﬁdential or sensitive information is $141. Not a huge number, except when you consider the average data protection breach involves 24,000 records—a cost of $3,384,000.
The recent U.S. Senate hearing on Facebook’s data privacy policies demonstrates how data protection is under keen governmental scrutiny, while the EU’s General Data Protection Regulations (GDPR) taking effect on May 25, 2018 show how this issue is a mounting global concern. Due to the potential for government-issued penalties as well as the aforementioned chance of financial and reputational damage, protection against breaches will continue to be a top priority for any organization tasked with managing sensitive personal information.
Guarding against data breaches becomes even more challenging as organizations move data and applications from the security of their on-premise IT infrastructure to the cloud, where the responsibility for protecting data is shared with the cloud provider. Because encryption keys play a vital role in this scenario by shielding data from potential breaches, the approach to encryption key management requires careful evaluation.
HSM: critical for protection against on-premise data breaches
The hardware security module (HSM) has historically provided the best means of encryption key management for on-premise IT infrastructure. Physically secure and FIPS 140-2 certified, the HSM is the nexus for managing the lifecycle of encryption keys to protect against breaches of data stored on-premise in an organization’s data center.
Typically, an organization’s IT department holds the responsibility for selecting, provisioning and managing HSMs in their data centers. However, as organizations move to the cloud—or, as is increasingly the case, as organizations use multiple cloud providers to meet their application or geographic coverage needs—they no longer have control of HSM selection and provisioning, as their data is now physically located in the cloud provider’s data centers. To address the need for encryption key management to protect this data, many cloud providers offer their own key management service.
KMS: protect encryption keys in the cloud
In keeping with the cloud model, key management service (KMS) is a software-based approach, sometimes reinforced with HSMs, that provides centralized key management and ease of scalability as data and processing demands grow. KMS enables an organization to control the full lifecycle of the encryption keys used to encrypt their data while it’s stored in a cloud provider’s data center. KMS typically includes reporting and auditing features to support regulatory or compliance requirements.
Thanks to its flexibility, KMS can be an ideal way to manage encryption keys in a cloud environment. However, organizations supporting multicloud environments or seeking ways to minimize the chance of a data breach may be concerned about certain limitations to this approach.
Minimize the chance of data breach: keep encryption keys and data separate
With a KMS, the encryption keys and data are both managed by the cloud provider. When encryption keys and encrypted data are stored and managed by the same entity, the chance of a breach increases. A breach of data can easily lead to a breach of encryption keys, and vice versa.
Best practices recommend that encryption keys and data be stored in close proximity yet managed by separate entities. As a result, a breach of the encrypted data yields only a bunch of ciphertext, while a breach of the encryption keys is useless without access to the data. By managing both the encryption keys and data, the KMS approach could be the Achilles’ heel to the proven strengths of the cloud in the event of a breach.
KMS works well, but what about multicloud environments?
If you operate in a multicloud environment—which the RightScale State of the Cloud Report indicates is the case for 81 percent of enterprises—KMS won’t meet all your needs, because it’s designed to work exclusively in a single cloud provider’s environment. Organizations using a combination of AWS, Oracle, IBM or any number of other cloud providers will need to manage their encryption keys with the KMS offered by each provider. If you’re one of the many organizations with five or more cloud providers, relying on KMS will only add complexity to your data security operations.
HSM as a Service: protect encryption keys in multicloud environments
Is there a simpler way to centrally manage encryption keys in a multicloud environment while still achieving HSM-level security? Fortunately, yes. Consider approaching encryption key management with HSM as a Service: It can leverage the scalability and connectivity of the cloud and provide HSM-level security without the need to provision HSMs. HSM as a Service is also cloud-neutral to centrally and securely manage encryption keys to protect data in public, private, hybrid or multicloud environments.
HSM as a Service is easily implemented and supports BYOK—Bring Your Own Key—to easily work with encryption keys from corporate resources or existing services. Compared to the KMS approach, HSM as a Service offers a greater level of data security by managing encryption keys separately from but in close proximity to the data stored by the cloud provider. Organizations wanting to provide the highest level of security against data protection breaches in multicloud environments will find HSM as a Service the best means of achieving this goal.
Encryption key management for multicloud environments: easy, very easy
If you have concerns about the complexity of managing encryption keys for multicloud environments and are looking for ways to minimize the risk of data breaches, we invite you to register for the Equinix SmartKey trial. This HSM as a Service solution is powered by Fortanix and utilizes Platform Equinix to make the service globally available. HSM as a Service gives you the simplicity of provisioning and managing encryption keys in multicloud environments without sacrificing security. For organizations who are committed to secure data protection yet rely upon the benefits of multicloud environments, Equinix SmartKey provides the ideal solution.