Key Management in Multicloud Environments

Imam Sheikh

If you have cyber security skills, your continued future employment is all but guaranteed. Three mutually-influential factors will continue to enhance your career prospects: a significant shortage of cyber security skills, the increasing number of costly data breaches and a variety of government regulations that impose stiff fines on companies that fail to comply. A 2018 IBM-sponsored study from the Ponemon Institute, Cost of a Data Breach, paints a sobering picture of the impact of data breaches globally, locally and by industry. The study’s findings include the following:

  • The average cost of a data breach increased from $3.5 million in 2014 to $3.86 million in 2018.
  • Mega data breaches involving a million or more records doubled over the past five years.
  • The average cost of a mega data breach involving a million records is estimated at $40 million, while the average cost of a mega data breach involving fifty million records is estimated at $350 million.
  • The average time it takes to identify a data breach is 197 days.
  • The average cost of a data breach for U.S. companies is $7.91 million.
  • The average cost per lost or stolen record resulting from a breach of data from a healthcare organization is $408.

If anything, these findings quantify the value of a well-thought-out and consistent enterprise strategy to prevent cybersecurity attacks and to minimize the cost and impact in the event one occurs. Dr. Larry Ponemon, chairman and founder of Ponemon Institute, emphasizes this: “The goal of our research is to demonstrate the value of good data protection practices and the factors that make a tangible difference in what a company pays to resolve a data breach.”

Rethink data security and key management strategy in cloud environments

The cloud, mobile devices, the Internet of Things (IoT) and the proliferation of software applications that touch nearly every aspect of quotidian activity create ever-greater volumes of data. These, unfortunately, are targets of nefarious individuals, organizations and government entities seeking financial gain or major economic or operational disruption.

Lower capital and operational expenses of cloud technologies motivate an ever-increasing number of enterprises to move their data and applications to the cloud. Transition to the cloud has caused enterprises to rethink their cybersecurity strategy-in particular, encryption key management.

Hardware security modules (HSMs) are the established standard for encryption key management in on-premises data centers. With the move to the cloud, some providers offer HSMs as part of their data security services. Most cloud providers offer a key management service (KMS) as an alternative to on premises HSMs. There are advantages to both approaches-provided all of your data and applications are hosted within a single cloud provider environment. However, if you’re like most enterprises, you’re working with multiple cloud providers to support numerous business applications or provide in-country services to comply with data sovereignty regulations. In multicloud environments, neither on premises HSM nor KMS is the ideal means for encryption key management. Enterprises need a standard method of managing encryption keys, regardless of the cloud environment in which they’re used.

HSM limitations in multicloud environments

Purchasing and provisioning HSMs in on-premises data centers is time consuming but can be done. However, as enterprises move to the cloud, they no longer have control of HSM selection and provisioning. The cloud provider assumes responsibility for HSM selection, and the enterprise is required to use key management tools designated for that particular brand of HSM. If you work with a single cloud provider, that’s not a problem. If you work with multiple cloud providers, learning and using a different set of key management tools for each provider presents an unnecessary burden for already-overworked data security teams.

KMS limitations in multicloud environments

A key management service (KMS) offered by cloud providers takes an “easy button” approach. As a cloud service, it scales easily as data and processing demands grow. A KMS provides encryption keys used to encrypt data stored in the cloud provider’s data center; it also typically includes reporting and auditing features to support regulatory or compliance requirements.

If you work with a single cloud provider, KMS is a good choice to manage the encryption keys within the provider’s environment. If you work with multiple cloud providers, you’re faced with the same complexity as managing KMS’ in multicloud environments, in that you must learn and use a different KMS for each of the cloud providers you work with.

Best practice: maintain encryption keys separately from encrypted data

The KMS approach may also diminish your level of data security by storing and managing encryption keys and encrypted data in the same entity-the cloud provider. Best practices, including guidance laid out in the recently-enacted General Data Protection Regulation (GDPR), recommend encryption keys and data be managed by separate entities. With this separate-entity strategy, a breach of encrypted data produces only ciphertext; if the encryption keys themselves are breached, they’re worthless without access to the data.

HSM as a Service: key management for multicloud environments.

The best method of managing encryption keys in multicloud environments provides HSM-grade security and the flexibility of a cloud service. Think of this approach as HSM as a Service. It’s cloud-neutral and capable of managing the entire encryption key lifecycle for private, public or hybrid cloud environments, including those offered by leading providers such as AWS, IBM, Azure, Oracle and Google.

Provided as a cloud service, it’s available on demand and easily scales to match data, applications and geographic growth. HSM as a Service features enterprise-level access controls and audit logging to meet compliance requirements. Most importantly, it’s a single, centralized method to simplify provisioning and control of encryption keys in multicloud environments.

SmartKey: HSM as a Service for multicloud environments

HSM as a Service is delivered as Equinix SmartKey powered by Fortanix, based on Intel Software Guard Extensions (SGX), a technology that protects application code and data from disclosure or modification. This core technology removes the need for legacy HSMs and provides application integration and development tools for today’s cloud environments.

Register for a free trial of Equinix SmartKey to experience how easily HSM as a Service is deployed and managed. While encryption key management can be complex and challenging in multicloud environments, SmartKey, the recipient of InfoSec 2019 Hot Company Cloud Security Award and Publishers Choice SaaS/Cloud Security Award, simplifies key management without sacrificing security.

Equinix SmartKey at RSA 2019

We’re pleased to announce we’re attending the RSA Conference 2019. Ask all your questions and get all the answers regarding key management in mulitcloud environments and the advantages of SmartKey at Equinix’s Booth 3305 in the South Expo.

Key Management as a Service Webinar

Listen and learn from the 451 Research and Equinix webinar that discusses cloud security methods for hybrid and multi-cloud architectures, challenges associated with the use of Software as a Service applications, and compliance mandates for data in the cloud while maximizing the benefits of Key Management as a Service.


Imam Sheikh
Imam Sheikh (Former) Senior Director, Security Products