How To Handle Key Management in Multicloud Environments

Encryption Key Management for Cloud Architects

Guido Coenders
How To Handle Key Management in Multicloud Environments

Historically, encryption key management has been straightforward. Hardware security modules—the proven method of managing encryption keys, tokenization, and secrets— were procured and installed in the corporate data center. Broad adoption of cloud technology is forcing enterprises to re-think their approach to encryption keys and key management.

Cloud architects, who are often the nexus for critical decisions regarding data, applications, services and security, need to work closely with participants in any cloud project to determine the optimum key management strategy. This decision will be particularly important as an enterprise evolves its IT resources from an on-premises model to a widely distributed, multicloud model. A brief review of cloud evolution and the possible encryption key strategies that can be employed to highlight the pros and cons of various approaches.

#1 From On-Premises to a Hybrid Cloud Model

The vast majority of enterprises make a gradual move to the cloud. The first step may involve moving select data and applications to a cloud provider for the benefit of better performance, lower CapEx and OpEx, or expansion into a new geography. Often, applications hosted in the cloud need to access data or services residing in the corporate data center using a VPN or dedicated connection.

In a hybrid cloud environment, key management can be addressed in two ways. First, via hardware security modules (HSMs) to encrypt on-premises data paired with HSMs offered by the cloud provider in their data center. Second, via HSMs to encrypt on-premises data paired with the key management service (KMS, no hardware required) offered by the cloud provider to encrypt data stored in the cloud.

Having the same brand/model HSM for on-premises and cloud provider simplifies encryption key management. However, when a cloud provider’s HSM brand/model is different from a business’s standard HSM or a business opts for the KMS approach, the data security team assumes added responsibility for learning and managing two different encryption key systems.

#2 From On-Premises to a Single Cloud Provider

Many small to medium enterprises choose to make a complete move to the cloud. The economic benefits are so persuasive that these businesses make the giant leap, contracting with a cloud provider for IT hardware, services and support. Many startups see cloud as the easiest way to quickly establish the required IT infrastructure without incurring significant CapEx and OpEx.

When all data and applications are hosted in a single cloud provider’s environment, encryption key management can be quite uncomplicated. The business can choose between the HSMs or the key management service offered by the cloud provider. Regardless of which option a cloud architect recommends, a business’s data security team can easily provision these resources.

#3 Evolving to a Multicloud Environment

Multicloud environments are a reality for the majority of businesses that adopt a cloud strategy. Although a business may begin with a single cloud provider, the need to host specific software, have a presence in a remote location or use services unavailable from an existing cloud provider forces most businesses to work with multiple cloud providers to achieve their goals.

Key management in multicloud environments can present significant challenges for cloud architects and data security teams. If a business has evolved from a hybrid cloud model to a multicloud model there can be a wide range of key management products—HSMs on-premises, different HSMs located in cloud provider data centers, or alternatively, a different KMS for each of the cloud providers. As a business grows and cloud resources become more widely distributed the complexity of encryption key management increases.

Encryption Key Strategy for Multicloud Environments

The prevailing key management mindset in many businesses as they evolved into a multicloud environment may simply be “get it done.” That is, use the most expedient means of establishing and managing keys, whether it be HSM or KMS, even if the decision leads to additional key management complexity.

Government and industry regulations add to the challenge of implementing a consistent key management strategy. GDPR, HIPAA, PCI DSS and many others are designed to mitigate data breach threats. They specify requirements controlling how data and where data is acquired, processed and stored. However, situations like Brexit demonstrate how easily geopolitical uncertainty can disrupt established standards of data sovereignty and how global enterprises need flexibility in deploying cloud services and managing data security.

Cloud architects confronted by the challenges of designing and implementing (or retrofitting) an encryption key strategy as an enterprise evolves from on-premises to a multicloud environment have an opportunity to implement a key management strategy that provides deployment flexibility and management simplicity.

HSM as a Service for Multicloud Environments

HSM as a Service provides HSM-grade security without the need for hardware appliances. Cloud-neutral HSM as a Service provides centralized encryption key management for major cloud environments such as Ali Baba, Amazon, Azure, Google, IBM and Oracle. HSM as a Service can be deployed on-demand to support data encryption needs on-premises and in the cloud and scales easily to meet global growth.

HSM as a Service also supports an additional level of data security by maintaining encryption keys in an environment physically separate, yet proximate to the data managed by the cloud provider. In the event of a breach, encryption keys are inaccessible and data remains in meaningless cyphertext format.

HSM as a Service supports key lifecycle management—creation, distribution, rotation, refreshment and retirement. Bring Your Own Key (BYOK) support makes it easy to move existing keys from HSMs or KMS into a central key repository.

SmartKey for Multicloud Environments

For cloud architects looking to establish a consistent, centralized, independent and easily deployed means of managing encryption keys in multicloud environments, HSM as a Service, available as SmartKey from Equinix, provides the ideal solution. Whether embarking on the first cloud project or attempting to simplify encryption key management in multicloud environments, SmartKey offers simplicity without sacrificing security.