Encryption Key Management for Retail: Using a SaaS Approach

Dan Eline

As retailers discover the economic and operational benefits of moving data and applications to the cloud, no two cloud journeys are the same. Small, relatively new retailers may be “born-in-the-cloud,” having immediately recognized the benefits, taking advantage of the latest IT advances and hosting all of their IT operations in the cloud.

Decades-old major retailers with significant investments in on-premises data centers typically take a cautious, gradual approach in making the transition. In most instances, the retailer opts for a hybrid cloud environment with data and applications distributed among their data center and a public or private cloud.

Unlike the relatively constrained IT environments of a retailer’s data center, highly-interconnected cloud environments allow retailers to locate data and applications in close proximity to their markets and supply chain partners. In light of the flexibility that the cloud provides, chief security officers and chief risk officers will need to re-think their data security strategy in consideration of:

  • Payment Card Industry Data Security Standard (PCI DSS) compliance.
  • GDPR compliance, if a retailer has operations in any European Union countries.
  • Mutlicloud environments required to host various applications or make services available in specific geographies.
  • Data sharing with ecosystem partners who also host applications and data in the cloud.
  • Encryption key management for retail, when data and applications are widely distributed.

Encryption key management is the foundation for data security. For years keys were easily managed on premises with hardware security modules (HSM). With an increasing move away from legacy physical data centers, how do retailers apply that same level of security to widely distributed data sources?

Retailers can address encryption key management needs in three ways:

  • HSM devices installed in the cloud provider’s data center(s)
  • Key management services offered by cloud providers
  • Software as a Service approach to encryption key management for multicloud environments

HSM Installed in the Cloud Provider’s Data Center

At first glance, this approach appears ideal for retailers who have been using HSMs for years to manage encryption keys. There’s no protracted procurement and implementation cycle. Cloud providers already have HSMs installed in their data centers. All you need to do is deploy the HSM instance and use the command line interface to manage the encryption key lifecycle. Unfortunately, the HSM approach falls short for the following reasons:

  • HSM selected by the provider may be different from the brand you use in your data center, requiring your data security team to learn yet another IT management tool.
  • You may want to locate the HSM somewhere other than the cloud provider’s data center to improve performance or meet security needs.
  • If you use multiple cloud providers (the RightScale 2019i report indicates the average enterprise is working with at least 4 different cloud providers), you’ll likely have several different HSM brands to manage.

Key Management Services Offered by Cloud Providers

Most cloud providers offer an alternative to HSM. Key management services (KMS) support complete encryption key lifecycles. KMS provides a single control point to manage keys and define policies consistently within the cloud provider’s environment. For retailers who are fortunate to contract with a single cloud provider to manage all their data and applications, including supply chain, e-commerce, payments, human resources, finance and legal, KMS is a sensible approach for encryption key management for retail.

However, it’s rare for a retailer to use a single cloud provider. With the variety of applications, data and distributed retail operations, retailers typically contract with multiple cloud providers to meet their needs. In the case of multicloud environments, a retailer is faced with learning the UI for the KMS implemented by each cloud provider.

Encryption Key Management for Retail: The SaaS Approach

  • Encryption key management, available in a software as a service model remedies the problems retailers encounter with HSMs and key management services and offers additional capabilities that enhance data security. Encryption key management as a service offers these advantages:
  • Cloud neutral: Manage the encryption key lifecycle for data stored in leading cloud environments like Amazon, Azure, Ali Baba, Google, IBM and Oracle.
  • Flexibility: Can be deployed in the retailer’s data center, in a cloud provider’s data center, or “at the edge” in colocation data centers to optimize performance.
  • Single, centralized means of encryption key management regardless of where encryption keys are used.
  • Added security: Maintains encryption keys separately from encrypted data. In the event of a data breach, consumer information, credit card numbers and other confidential information remain encrypted, meaningless ciphertext.
  • Protect shared data, ensuring data remains encrypted in-transit and at rest when accessed by ecosystem partners.

Encryption key management for retail is greatly simplified with a software as a service approach that provides rapid deployment, scales on demand to meet increased data and processing needs and supports centralized key management to reduce the demands on already-overworked data security professionals.

SmartKey™ is Encryption Key Management for Retail

Equinix, the leader in global interconnectivity, offers SmartKey that provides HSM-grade security in a software as a service model. SmartKey addresses the needs of retailers operating in multicloud environments. Built using Intel SGX technology, SmartKey ensures all cryptographic and key management operations are done inside the trust boundary of an Intel SGX enclave to ensure the security of consumer, supplier and financial information managed by retailers.

Platform Equinix® Enhances SmartKey Capability

Volume 2 of the Global Interconnection Index (The GXI), published by Equinix which forecasts digital business growth, predicts 67% CAGR in interconnection bandwidth for wholesale and retail industries. To meet this need, Platform Equinix with 200 data centers in 52 metros, provides interconnectivity among 9,800 companies, 1,000 network providers and 2,500 cloud IT providers enabling retailers to easily and securely connect to a growing number of ecosystem partners. Optional private network backbone connections between cloud providers avoid Internet traffic, providing faster throughput and an added level of security.

Taking advantage of global interconnectivity, SmartKey gains added value when deployed within Platform Equinix. SmartKey can be hosted in Equinix data centers closest to the metros, partners and consumers served by retailers. Deployment at the edge secures data and improves performance in high-volume transactions. In making the move to the cloud, Equinix SmartKey uses the software as a service approach to give retailers confidence that encryption keys can be efficiently managed to secure critical data regardless of where in the retail ecosystem it originates, is processed and is retained.

[i] RightScale 2019 State of the Cloud Report