Cloud Applications should take a SaaS Approach to Encryption Key Management

Imam Sheikh

Encryption key management is the foundation for data security. However, the well-established methods of managing encryption keys using legacy hardware security modules (HSM) are inadequate for the growing number of applications hosted in the cloud. HSMs have protracted procurement cycles which hamper rapid deployment in widely distributed cloud environments. Today, enterprises want to move quickly when extending applications or services to new geographies or scaling applications to accommodate increased data sovereignty and processing demands.

To address customer agility needs, Cloud Service Providers offer HSMs for deployment in their data centers, but they are not cloud neutral and may not work seamlessly with applications offered by other service providers. If your applications are hosted solely with a single cloud service provider, the HSM option may be workable. However, that’s rarely the case.

According to the RightScale State of the Cloud Report the average enterprise works with more than 4 different cloud environments. Although the major cloud providers like Alibaba , AWS, Azure, Google, IBM and Oracle all offer some type of encryption key management service, the average enterprise would need to work with four or more different key management systems.

Alternatively, the convenience of putting physical HSMs in corporate data centers diminishes when placed in the context of the typical situations and constraints faced by an enterprise hosting application in the cloud.

  • High volumes of data generated by mobile applications, IoT devices and the pending 5G network rollouts require the data to be securely encrypted and decrypted “at the edge” to reduce latency and optimize performance. Encryption key management for cloud applications needs to be deployed proximate to data, processing and consumers to optimize performance.
  • Data sovereignty regulations such as GDPR require that data be securely processed and maintained in the country of origin. Enterprises need to locate encryption services in-county while also having the ability to manage remotely.

Given these factors, the best way to address the need for encryption key management for cloud applications is a SaaS approach. In comparison to owning legacy HSM devices, encryption key management provided as a service eliminates delays associated with procurement and implementation. Available on-demand, encryption key management as a service can offer capabilities and benefits specifically designed to address the unique needs of cloud environments.

Cloud-neutral. It can be used to manage the complete encryption key lifecycle regardless of which cloud environment the data is stored in. A single, centralized approach to encryption key management (and the user interface) reduces the demands made on already-overworked cybersecurity professionals.

Deployment flexibility. It can quickly be instantiated and be used by applications in an enterprise’s on-premises data center, in a global colocation data center, in a public cloud or supporting applications at remote branches.

Scalability. As your business grows, you can avail additional capacity without any delays. This also reduces strain from common growth bottlenecks.

SmartKey: Encryption Key Management for Cloud Applications

Equinix offers encryption key management as a service via SmartKey. It provides HSM-grade security without the complications of hardware procurement and implementation. SmartKey is globally available, fault tolerant and horizontally scalable to support the encryption needs of cloud applications running in single or multicloud environments.

When hosted on Platform Equinix, an enterprise can magnify the value of SmartKey, allowing it to support the encryption needs of cloud applications and services that comprise an enterprise’s digital ecosystem. Platform Equinix has 200 data centers covering 52 major metropolitan areas and using Equinix Cloud Exchange Fabric dynamically connects to thousands of cloud and network providers, as well as business partners. Platform Equinix can further optimize application performance, allowing an enterprise to bypass the internet via secure connections between cloud providers, business partners and enterprise data centers.

In addition, SmartKey brings added levels of security as well as convenience when developing custom applications.

Added Levels of Security

When not in use, keys are stored in an encrypted database. When in use, keys are available only inside a secure Intel® SGX enclave, ensuring a key is never available in plaintext to any unauthorized software component. Keys are never exposed in plaintext in system memory or on any other physical interface outside the secure enclave.

Encryption keys are contained and managed in an entity separate from the data they encrypt. By keeping the data in the cloud and encryption keys in a separate service like SmartKey securely, the chance of a data and key compromise at the same time is reduced drastically.

Cloud-Friendly DevOps Tools

Developers building new cloud applications can take advantage of an API-kit providing easy cloud-friendly RESTful APIs, support for PKCS#11, CNG and JCE standards and integration tools for leading public cloud, data services and SaaS application providers. KMIP support enables native integration with storage vendors such as NetApp and EMC.

SmartKey supports plugins for the development and testing of custom code. This addresses the recurring need to develop code that adheres to the standards established by a business partner for integrating with their applications or services. With plugins, you have the ability to run custom business code in a secure sandbox environment inside the secure enclave.

Adopt SaaS Solutions for Encryption Key Management

Enterprises developing and deploying applications, widely distributed across multiple cloud environments, should aggressively adopt the SaaS approach to encryption key management for cloud applications. Global availability, ease of implementation and the ability to deploy encryption key management services where and when needed make it a technically and economically sound decision.


Imam Sheikh
Imam Sheikh (Former) Senior Director, Security Products