Diminishing the Pain of Encryption Key Management

Imam Sheikh

You’re not alone in feeling the ever-increasing pressure of managing encryption keys in cloud environments. Several factors cause this pain: the seemingly unlimited growth of data, wide distribution of data and applications across private, hybrid and public cloud environments, ever-evolving regulations such as GDPR that vary by industry and by country. it’s no wonder you’re feeling mounting stress when it comes to data security and encryption key management.

Pain points in encryption key management

Many of the factors causing this strain are outside an enterprise’s ability to control. Thankfully, however, some aspects of encryption key management may be addressed and improved. Based on our experience in working with thousands of customers who’ve moved data and applications to the cloud, we’ve identified three critical pain points that impede an enterprise’s ability to effectively and efficiently manage encryption keys in the cloud:

Pain point #1: KMS is ideal for single cloud, but not multicloud

For organizations that work with a single cloud service provider (CSP), the provider’s own key management service (KMS) is the ideal way to manage encryption keys. KMS offers three distinct advantages over the legacy hardware security modules (HSM) servers that many enterprises have historically depended upon for encryption key management in their on-premises data centers.

First, in comparison to legacy HSMs, KMS offers a richer set of encryption key management tools designed specifically for the CSP’s environment. These tools handle the complete key lifecycle-creation, rotation, import, export, deletion and usage policy definition-and record all actions in audit logs. Second, KMS includes a modern and simple programming interfaces like REST that allows developers to add encryption to custom applications. Third, the cloud provider’s KMS is usually integrated with other cloud services such as storage, analytics and databases, making it easy to provide encryption for these services.

However, there’s one major pain point associated with KMS: It only works in a particular CSP’s environment. While this arrangement makes it easy for the KMS to work with other services available from the CSP, the provider’s KMS may not support encryption keys in other cloud environments. If you’re one of the majority of enterprises that contract with multiple cloud providers, this is a significant drawback because you have to think of another key management strategy for these unsupported services.

The remedy for this pain point is a cloud-neutral HSM as a Service, which operates as a KMS for multicloud environments. A cloud-neutral HSMaaS works with leading cloud service providers such as AWS, Azure, Google, Oracle and IBM and provides a complete set of management tools for centralized control of encryption key lifecycles, along with cloud-friendly representational state transfer (RESTful) API, as well as SDKs that support established interfaces such as Public-Key Cryptography Standards (PKCS#11), Cryptography Next Generation (CNG), Java Cryptography Extension (JCE) and Key Management Interoperability Protocol (KMIP) and sample code to accelerate application integration. Cloud-neutral HSMaaS makes it easier to protect distributed data uniformly in a multicloud environment.

Pain point #2: Data breach vulnerability

Storing encryption keys and encrypted data in the same cloud environment simplifies overall security management. If you’re only using a single cloud provider, this approach reduces the pain of encryption key management. However, it presents a significant drawback that may cause trouble in the long run.

The National Institute of Standards and Technology (NIST) document Cryptographic Key Management Issues & Challenges in Cloud Services cautions that “…there is a limit to the degree of security assurance that the cloud consumer can expect to get, due to the fact that the logical and physical organization of the storage resources are entirely under the control of the cloud provider.” The report advises, “For better security, the security server, the KMS, and (persistent) key storage should be run in a cloud that is different from the DBMS [database management system] instance or should be run on-premise by the cloud Consumer.”

Here too, a cloud-neutral HSMaaS remedies potential pain. With HSMaaS running in a cloud environment separate from the CSP, a breach of data only delivers useless ciphertext without knowing where the keys are. Separately-stored encryption keys provide an added level of data security.

Pain point #3: Connectivity conundrum

Enterprises that employ multicloud environments are challenged with implementing effective data security across the CSP’s geographically-distributed data centers. To accomplish this, they must coordinate connectivity among encryption key services, data storage and the applications that run their business. An overarching goal is optimized performance among all connected components.

Rather than tackle the pain of connectivity challenges individually-the connectivity combinations can be astounding-an enterprise should seek the services of providers who have established global networks and data centers. The infrastructure and services available from these providers offer colocation, high availability, rapid scalability and physical and virtual connectivity to networks and cloud providers. From the perspective of diminishing the pain of encryption key management, the services available via a global network and data center provider can accomplish the following:

  • Securely and dynamically connect distributed infrastructure and digital ecosystems.
  • Facilitate centralized management of encryption keys, regardless of the cloud environment where they are being used to encrypt data.
  • Securely store and manage encryption keys separately from data encrypted and stored in a CSP’s environment to provide an added level of defense against data breaches.
  • Optimize data encryption/decryption operations by locating encryption keys at the edge.

Partner with an established global provider of interconnectivity and data center colocation services to take advantages of the infrastructure, resources and expertise they offer.

Summary: Remedy your pain points with cloud-neutral HSMaaS

Enterprises challenged with the responsibility of securely managing data distributed widely among different CSPs while operating in accordance with all regulations can reduce the pain of encryption key management by using a cloud-neutral HSMaaS. It enables secure, centralized encryption key management in multicloud environments and brings an added level of data security via proximate but separate storage of encryption keys and encrypted data.


Pain Point Remedy
Key management service (KMS) only supports a specific cloud service provider’s environment Cloud-neutral HSM as a Service provides encryption key management for leading cloud service providers
Data breach vulnerability fostered by storing encryption keys and encrypted data in the same cloud environment Separate yet proximate storage of encryption keys and encrypted data in different cloud environments.
Connectivity to numerous CSPs, geographies and network providers Globally-available platform providing connectivity to data centers, CSPs and networks


Pain relief for multicloud encryption key management

In recognition of the need for a better way to securely and efficiently manage encryption keys in multicloud environments, Equinix offers SmartKey™, an HSM as a Service. SmartKey complements the wide range of services offered by cloud service providers and brings a greater level of security to data stored in CSP data centers. SmartKey, available as a cloud service, is designed to scale on demand and is built to be fault-tolerant and highly available. SmartKey uses Intel® SGX enclaves to protect encryption keys and data from all external agents.

SmartKey, hosted on Platform Equinix to provide access to all major cloud platforms across multiple locations, addresses encryption key security and performance requirements at the digital edge. SmartKey is pain relief for multicloud encryption key management. Furthermore, when running on Platform Equinix. SmartKey helps improve performance/reduce latency as enterprises are close to carriers and counterparties in addition to clouds.

If you’re experiencing the pain of data security and key management, consider signing up for free 30-day trial of SmartKey. In a matter of minutes, you’ll get the sense of the relief a single, centralized cloud-neutral HSMaaS can provide.

Imam Sheikh
Imam Sheikh Senior Director, Security Products