This is the first in a series of discussions focused on managing data security in distributed computing environments, particularly encryption key management. Our distributed data security discussion will address this from several angles, providing a review of technologies, strategies, line-of-business perspectives (CISO, security team, developer, architect) and best practices to manage encryption key lifecycles in highly-distributed computing environments. By the time you reach the end of this series, you’ll be well-informed and well-prepared to implement the encryption key management solutions suited to your unique distributed computing environment.
Cloud Has Radically Changed How We Think About IT Resources
Widespread adoption of cloud computing has displaced the decades-old on-premises, centralized corporate data center model for computing. With the cloud, IT resources, applications and data are now widely distributed among corporate data centers, cloud providers, branch offices and across international borders.
Computing power, storage, network and security services can be deployed on-demand and easily scaled up or down to optimize performance. Cloud and solution architects play a vital role in designing and deploying the appropriate type and location of cloud resources and need to work side by side with data security teams to protect application and data assets.
Cloud Has Changed How We Think About Data Security
The benefits of distributed cloud computing are accompanied by new responsibilities for ensuring data is securely maintained wherever it resides—on-premises or in the cloud. One reality of cloud computing is the number of different cloud providers the typical enterprise employs to support its application and data needs. A growing percentage of enterprises have a multicloud strategy. Many even report running applications on an average of 3.4 public and private clouds and experimenting with 1.5 more for a total of 4.9 clouds. Multicloud enterprises are the norm.
The multicloud factor raises some distinct concerns regarding encryption key management. Specifically, with the diversity of cloud environments, widely-distributed data repositories and data security skills in great demand, what are the optimal strategies for managing encryption keys?
Hardware Security Module (HSM) – The On-Premises Standard
Hardware security modules, the decades-proven approach to managing encryption keys in corporate data centers might seem the logical way to secure data in the cloud, after all, you’ve had years of experience in procuring, installing and configuring them. Although they can continue to secure data in the corporate data center, especially if you’ve opted for a hybrid cloud model, HSMs may present challenges when the data to be encrypted resides at a cloud service provider or colocation data center.
Cloud providers do offer HSMs, but they may not be the same brand or model your data security team is accustomed to deploying. If you choose that option, the cloud provider can quickly deploy their brand of choice (no need for hands-on installation). Colocation centers may or may not offer the HSM option. In the worst case, you’ll be responsible for hands-on installation.
The challenge with HSMs becomes more complex in mutlicloud environments and/or multiple colocation centers. Diversity of HSM devices will add to the demands of the already-stretched data security team. The potential need for on-site installation impedes the quick deployment of new services or expansion to additional locations that require encryption key management services. HSMs can be ideal for on-premises or local data but as data becomes increasingly distributed, HSMs look less the ideal solution to encryption key management.
Key Management Services (KMS) for the Cloud
Cloud providers address the need for encryption key management with key management services. KMS allows an enterprise to manage encryption keys without the need of an HSM appliance. KMS provides centralized encryption key lifecycle management plus the ability to import and export existing keys. Available as a service, KMS scales easily to accommodate data growth and enterprise expansion and natively integrates with a wide range of services and tools offered by the provider.
Within a cloud provider’s environment, KMS can be the ideal choice—native, convenient, scalable and integrated, particularly if an enterprise uses only one cloud provider. However, in a multicloud enterprise, shortcomings of the KMS approach appear. Similar to dealing with managing a diverse collection of HSMs, an enterprise’s data security team would need to master the method and UI for each provider’s KSM offering. In a widely-distributed cloud computing environment, data security teams want simplicity, not complexity.
HSM as a Service (HSMaaS) for Multicloud Environments
A third encryption key management option to consider provides HSM-grade security with the convenience of a key management service. HSM as a Service offers a centralized approach to encryption key management across the major cloud provider environments—Ali Baba, AWS, Azure, IBM, Google and Oracle, as well as on-premises corporate data centers.
HSM as a Service is available on-demand, scales globally and provides a cloud-friendly API for custom integration and development. When deployed in globally interconnected data centers, HSM as a Service allows an enterprise to locate encryption key management services “at the edge,” supporting high-volume data transactions by minimizing latency.
If you are one of the 84 percent of enterprises employing a multicloud strategy, HSM as a Service may be the most efficient and consistent means of managing encryption keys across the various environments.
Distributed Data Security – Challenges and Options
Managing encryption keys in cloud environments presents new challenges for data security teams. Unlike data maintained in the corporate data center, distributed data-at-a-distance can be exposed to a greater number of breach attempts. With the variety of cloud strategies—private, hybrid and public—and the number of cloud providers hosting data and applications, data security professionals need to implement encryption key management solutions to ensure data security while simplifying overall key management responsibilities.
HSMs, KMS and HSM as a Service can address the full spectrum of encryption key management needs. We’ll explore these options, addressing the pros and cons of each, in greater detail in upcoming distributed data security blogs.