RSA 2019: Distributing Security to the Edge

Delivering best of breed with automated HSM-as-a-service

Imagine knowing everything about a customer before they come through the door – name, preferences and interests, buying history, who they are connected to, where they live, and more. That kind of intelligence makes it easy to strike up a conversation with the customer and make the right recommendations that can lead to sales. The more you know, the more chances you have to win.

Now let’s put that into a digital context with a simple example. An online clothing retailer has built geolocation intelligence into its website and combined it with weather data to make smart recommendations to customers. When the polar vortex hits Chicago, the retailer is able to provide real-time recommendations for winter apparel to users in Chicago with custom messaging about the weather event. If the user has already purchased a winter coat from the retailer in the past, the retailer can recommend complementary items instead, such as gloves or a hat, based on that customer’s buying history information.

What’s tricky about this scenario? The retailer could be using different cloud providers to consume the data services while keeping their customer data in on-premises databases. Due to data privacy and data sovereignty requirements, their customer databases could also be located in different regions and consuming data services from local cloud providers. The resulting IT architecture for this retailer is a combination of on-premises, hybrid cloud and multicloud distributed across different regions. And, keeping sensitive data secure across a heterogenous, distributed IT environment like this is a central concern for this retailer, as it is for many enterprises.

RSA 2019: Security and control have never been more critical

The scenario above is a good microcosm of the major themes at the RSA Conference this year. Several keynotes and learning tracks are focused on how to keep your distributed IT architecture safe in the face of rising intelligent threats. Here’s a quick snapshot of some of the main topics:

  • Cloud security: Detecting threats across multicloud environments and how to investigate and resolve attacks commonly seen within cloud environments.
  • Emerging security technologies and techniques: Use cases and applications for emerging approaches such as blockchain, machine learning, decentralized identity, key management and homomorphic
  • Threats and breaches: Techniques to anticipate and resolve incidents in the enterprise such as threat intelligence gathering, automating response, and sharing across technologies and organizations. Also, how to combat advanced threats, ransomware and new classes of vulnerabilities.
  • Governance and compliance: Current and proposed government and industry strategies, policies, standards and legislations that affect the extended enterprise and how to implement compliance frameworks.

It’s not surprising that the conference is focused on these trends. Businesses are facing increasing pressure to participate in the digital economy and provide real-time, personalized experiences for their customers. However, as digital monetization opportunities grow, the volume and impact of security breaches are also accelerating. Cybersecurity Ventures predicts that the global cost of cybersecurity breaches will reach $6 trillion annually by 2021.i In response, more than 30 countries have proposed or enacted rules blocking cross-border transfer of data in major categories: accounting, tax, and financial data (18); personal data (13); government and public data (10); data related to emerging digital services (9); telecommunications data (4); and other types (5).ii

So how can businesses best address these pressures? Encryption is the de facto method for securing data across distributed architectures, but the variety of options can be daunting. Let’s break it down.

HSM vs KMS

Hardware security modules (HSMs) are the traditional enterprise solution for cryptographic workloads. They are physical hardware devices which securely manage encryption keys within a data center environment. Designed and certified to be tamper-evident and intrusion-resistant, they provide the highest level of physical security. Most HSMs are certified to FIPS (Federal Information Processing Standard) 140-2 Security Level 3, although three have attained Level 4 certification as of February 2019. HSM benefits include the fact that they are on-premises and offer a high level of security, but they don’t easily scale and have a high CapEx cost. Use cases may include digital rights management, regulatory compliance, or working with highly sensitive data.

HSMs predate the cloud era and are better suited to traditional IT architectures. So most major cloud providers have introduced Key Management Services (KMS), which is sometimes described as HSM-as-a-service. Functionally similar to the services provided by HSMs, a KMS enables clients to manage encryption keys without concerns about HSM appliance selection or provisioning. The advantages of KMS are similar to the advantages of cloud, such as ease of use, lower cost pay-as-you-go, agility, and scalability. However, many cloud provider KMS offerings typically keep the encryption keys and the data they are protecting in the same shared environment, making them less secure. Some KMS solutions are certified to FIPS (Federal Information Processing Standard) 140-2 Security Level 2, which can work for use cases that don’t require a high level of security or multicloud architecture.

Cloud neutrality

KMS through cloud providers are commonly designed to operate only with their target cloud platform, limiting their use to single cloud environments. However, most organizations are making cloud decisions based on what environment is best for each application. This app-first mindset is leading to multicloud architectures for nearly 90% of respondents in a recent survey by F5.iii For these enterprises, managing proprietary encryption keys across different clouds can quickly become an exercise in complexity.

Multicloud, automated HSM-as-a-service

An automated HSM-as-a-service like Equinix SmartKey™ provides the best of breed HSM-like security with the KMS-like agility. Even better, it’s cloud neutral and, through Platform Equinix®, provides access to the greatest choice of interconnection partners in the largest number of locations worldwide. Here are a few key benefits:

  • Key secrecy: Eliminates the risk of keys being compromised—even by service providers and governments/ state actors—in a shared infrastructure.
  • Compliance and data sovereignty: Enables data sovereignty with regional isolation and security.
  • HSM-grade security: Can provide FIPS 140-2 Level 3 validation without the need for HSM appliances in an easy-to-use cloud service with predictable consumption.
  • Multicloud integration: Enables uniform control regardless of where data resides and works natively with multiple cloud providers such as AWS, Azure and Google.
  • Performance: Stores keys at the digital edge, close to critical applications, whether in cloud or on-premises.

Equinix will be at RSA 2019 taking place March 4-8 in San Francisco. Visit us at booth #3305 in the South Hall for a SmartKey demo. Be sure to stop by our SmartKey partner F5 in booth #643 as well.

Download the SmartKey security overview to learn more.

You may also want to check out these blogs to learn more about encryption in the cloud:

Hardware Security Module (HSM) vs. Key Management Service (KMS)

Can You Achieve HSM Security with Cloud Flexibility?

 

 

Print Friendly


Related Content