Encryption Key Management Best Practices

Imam Sheikh
Encryption Key Management Best Practices

Data encryption is the bedrock of cybersecurity. Encrypted data remains worthless ciphertext without access to encryption keys; hardware security modules (HSM) are well-established means for securing those keys in on-premises data centers. Data security teams are well-versed in the process of purchasing, provisioning and managing those HSMs. However, the efficiency of that practice has been disrupted by an increasing number of enterprises moving their data and applications to the cloud. The IDC Worldwide Semiannual Public Cloud Services Spending Guide estimated $160 billion of spending on public cloud services and infrastructure in 2018. With the majority of enterprises now working with cloud providers to support their data, applications and in-country presence, enterprises are looking for alternatives to these legacy HSMs to establish encryption key management best practices.

Key Management Services: an alternative to legacy HSMs

Major cloud service providers have responded to the need for data security by offering key management services (KMS). There are distinct advantages to using a KMS: It’s delivered as a cloud service along with many other services such as storage, developer and management tools, databases and analytics available from the cloud provider. A key management service doesn’t necessarily depend on hardware security modules, another factor in their quick deployment. If all of your data and applications are hosted on a single cloud service provider, you can consider cloud service provided KMS as an encryption key management best practice.

Most enterprises use multiple cloud providers

Although using KMS in a cloud environment removes the responsibility of purchasing and provisioning HSMs, the benefit of that approach diminishes when you work with multiple cloud providers. Cloud adoption is increasing spectacularly: According to the RightScale State of the Cloud Report, 81 percent of enterprises have a multicloud strategy, with most enterprises working with four or more different cloud providers. If an enterprise is a global operation, it most likely uses multiple cloud providers, and that’s where the problems start.

With each cloud provider offering a different approach to encryption key management, data security departments are required to learn and master the encryption key management tools and methods offered by each provider. With inevitable data and processing growth and global expansion combined with a continued shortage of data security skills, what are the encryption key management best practices for multicloud environments?

Encryption key management best practices for multicloud environments

The best approach to encryption key management in multicloud environments incorporates three qualities: HSM-grade security, cloud deployment and centralized management. Combined, these three qualities define HSM as a Service, which features centralized encryption key management, global cloud scalability and secure encryption key management to protect data in public, private or hybrid environments. Here’s how each of those qualities supports encryption key management best practices:

● HSM-grade security without the need for buying HSM hardware

HSM as a Service provides HSM-grade security without the cost and overhead of hardware provisioning. HSM as a Service allows you to generate, store and use cryptographic keys and certificates. When not in use, the keys are held in an encrypted database; when in use, they’re only available inside a secure enclave. All encryption and decryption operations are done inside the secure enclave. Key material is never available in plaintext to any software component.

HSM as a Service includes a cloud-ready SDK that supports a variety of interfaces, such as RESTful APIs, PKCS#11, JCE, CNG and KMIP. It also provides developers with easy integration tools for leading public cloud, data services and SaaS application providers.

● Cloud deployment

HSM as a Service is available as a cloud service. With easy implementation, high availability, fault tolerance and global scalability, it addresses performance and compliance requirements at the digital edge where data, applications and users live. Using an architecture that supports dispersed interconnection nodes located at the digital edge, HSM as a Service ensures proximity of encryption keys and encrypted data to minimize latency. Although encryption keys and data are proximate, keys remain separate from encrypted data to provide an added level of defense against harmful data breaches.

● Single, centralized encryption key management

HSM as a Service is cloud-neutral and supports heterogeneous cloud environments. It complements services offered by leading cloud service providers like AWS, Azure, Google, IBM and Oracle. This enables you to take advantage of the wealth of services offered by these providers, yet have a single, centralized method of managing encryption keys wherever they are deployed across multicloud environments.

HSM as a Service supports existing encryption key management needs, as well as growth and expansion of data and applications. With a centralized approach to encryption key management, you retain complete control of keys at all times. You can easily assimilate encryption keys from corporate resources or existing services and securely distribute keys to new services.

A single, centralized approach to encryption key management reduces the demands on your already-overworked data security team. In contrast to the complexity of learning and using a different key management tool for each cloud service provider you work with, HSM as a Service gives you simplicity without sacrificing security-surely an encryption key management best practice.

Proximate yet separate: encryption keys and data

In addition to simplifying encryption key management, HSM as a Service provides an added level of data security by keeping encryption keys in an entity separate from encrypted data. The recently-implemented General Data Protection Regulation (GDPR) acknowledges the added value of this kind of separation. The GDPR requires that encryption keys be kept separate from the encrypted data, which is rarely achievable when a cloud service provider manages both. With HSM as a Service, however, encryption keys are automatically maintained separately from encrypted data to provide a greater level of protection against a data breach.

SmartKey is HSM as a Service

HSM as a Service is available as SmartKey from Equinix. SmartKey simplifies the provisioning and control of encryption keys. SmartKey is available on-demand and easily scales to match your data and application growth. It’s globally available on Platform Equinix, which directly, securely and dynamically connects distributed infrastructure and digital ecosystems. At a time when data security skills are scarce, SmartKey supports encryption key management best practices by delivering HSM-grade security, cloud deployment and a single, centralized control point for encryption key management across multicloud environments.

We invite you to consider a free trial of Equinix SmartKey to experience how easily HSM as a Service is deployed and managed. Cloud security management can be challenging, but SmartKey offers simplicity and security.

Subscribe to the Equinix Blog