Simplifying Data Sovereignty with Cloud-Based Key Management

Kim Chen Bock

Recent technological advances, such as the advent of the cloud and improvements in the areas of global communications, commodity storage and processing speed, give organizations the ability to store data anywhere in the world and manage it remotely. While these advances have undeniable benefits, they’ve also created drawbacks for global organizations, which must contend with an ever-widening set of data regulations. These regulations govern the acquisition, storage and processing of any personally identifiable information associated with customers and employees, as well as the critical operational data associated with utilities, urban infrastructure and transportation. For data security experts, this means increased demands and a heightened workload.

The added complexity of data sovereignty

Many of the more recent regulations involve data sovereignty requirements, in which digital information is subject to the laws and regulations of the country where the data is collected and stored. For global companies, data sovereignty adds another layer of complexity to the issue of data storage. These companies must continually monitor evolving regulations for each involved country and work with cloud providers to implement appropriate data security and governance infrastructure and policies.

Data sovereignty restrictions are often influenced by national interests. Storing Canadian data on Canadian servers, for instance, provides safeguards from requirements imposed by the United States’ Patriot Act, which applies to data stored on servers located within the US. EU data privacy regulations restrict organizations from transferring personal data created in Europe to countries whose data protection laws are judged inadequate by the EU. Some countries require confidential data be stored on government-monitored servers or in authorized third-party data centers. Monitoring and complying with data sovereignty requirements presents a persistently difficult issue for global businesses.

Cloud service providers support data sovereignty

Many of the challenges of securely and effectively managing data according to country-specific regulations are met by the availability of cloud services. Leading cloud service providers (CSP) like AWS, Azure, Google, Oracle and IBM have in-country data centers, the first requirement for complying with data sovereignty regulations. These providers offer authentication, encryption and security services, plus a set of management tools designed to help clients comply with local regulations. Nonetheless, global organizations must understand each specific country’s data regulations and work with cloud providers and the management tools offered by each to implement the architecture, processes and security policies necessary to comply with these regulations.

One means of reducing the complexity of complying with data sovereignty regulations is by standardizing the most fundamental aspect of data security-encryption key management. Cloud service providers offer proven means of managing encryption keys-hardware security modules (HSM) purchased by the CSP and provisioned in their own data centers. For organizations that currently rely upon HSMs for encryption key security in their own data centers, the move to the cloud and the use of CSP-provided HSMs is very appealing. Alternatively, several CSPs offer key management services (KMS) that provide a rich set of management tools and services. KMS is the preferred option for organizations who have had no need to transition from their own data centers to the cloud. Typically, these are newer organizations who run applications that were born in the cloud.

Limitations of cloud service provider-offered HSM and KMS

While the HSM and KMS approaches both feature strong advantages, they also possess one significant drawback, in that the encryption key management method or methods offered by each CSP only work within their specific cloud environment. Most organizations work with multiple cloud service providers, which means mastering a different key management method for each.

A cloud-neutral KMS simplifies data sovereignty compliance

To avoid the complexity of multiple management services and minimize demands on your data security organization, consider the benefits of a single encryption key management service that works with all leading cloud service providers. A cloud-neutral KMS can provide HSM-level security for encryption key storage; it also has services and tools designed specifically for today’s cloud environments. While you’ll still need to understand data storage and processing requirements for each country in which your organization operates, you’ll have a single, consistent method of managing encryption keys across all applicable countries.

Key management service capabilities that reduce the workload on your data security organization and support data sovereignty compliance include:

  • A single set of tools and services to manage authorization, encryption key lifecycle and audit logs, regardless of where encryption keys are used.
  • HSM-level security without the need to purchase and provision HSMs.
  • Quick implementation and scalability to easily support geographic and processing growth across countries.
  • Advanced, cloud-friendly APIs, software development kits and sample code to allow easy integration with leading public clouds, data services and SaaS applications to meet country-specific needs.
  • Key management that complements the rich set of CSP data and application services with an added level of data security. To reduce the threat of data breach, a KMS stores encryption keys separately from encrypted data managed by the cloud provider.

A cloud-neutral, single key management service is easily implemented, provides a consistent encryption key strategy across countries of operation and simplifies compliance with data sovereignty requirements that vary by country.

SmartKey: a cloud-neutral KMS / HSM as a Service

Equinix, a global leader in data centers, colocation services and connectivity, understands global data operations and the complexity of data sovereignty compliance. To simplify the provisioning and control of encryption key management across the multiple cloud environments needed to support data, processes and applications in individual countries, Equinix offers SmartKey, a cloud-based service that provides secure key storage with cloud scalability, along with encryption and tokenization services. SmartKey’s services address governance, risk and compliance requirements imposed by data security and sovereignty regulations. SmartKey supports the encryption key management needs of global organizations through Platform Equinix, which is available in Equinix data centers on five continents. With 99.9999% global uptime, Platform Equinix provides access to more than 1,600+ available networks.

If you’re confronting the challenges of effectively and efficiently managing encryption keys globally in support of the data sovereignty requirements, we invite you to register for the Equinix SmartKey trial. This key management service is powered by Fortanix and utilizes Platform Equinix to make the service globally available. SmartKey gives you a single management tool to provision and manage encryption keys in the multicloud environments needed to support country-specific operations. For global organizations using multicloud environments, Equinix SmartKey can simplify the complexity of data sovereignty compliance.

Kim Chen Bock Product Marketing - Head of Emerging Services - Data, Security, Applications