What the CISO Should Know About Protecting Encryption Keys In Cloud Environments

What the CISO Should Know About Protecting Encryption Keys In Cloud Environments

Larry Hughes

A recent WSJ article – U.S. Companies Can Defend Themselves in Cyberspace paints a more optimistic view of corporate abilities to protect themselves than most CISOs might imagine. With the growth of the cybersecurity industry—$114 billion in 2018, per Gartner—and the range of cybersecurity products now available, an enterprise can create a multilayer defense against cyberattacks. From data encryption to machine learning that proactively identifies threats, it’s far more difficult for hackers to penetrate such defenses.

For decades, encryption key management provided by hardware security modules (HSM) has been the foundation for data security, but as companies move to the cloud they often find the HSM on-premises data encryption model does not efficiently serve the needs of protecting encryption keys in cloud environments. As enterprises contend with security threats CISOs are looking for simpler, standardized methods of securing data.

Protecting Encryption Keys In Cloud Environments – The Limitations of HSMs

Managing an HSM has enough challenges as it is. When faced with protecting encryption keys in cloud environments, CISOs face a new set of encryption key management challenges.

  • Cloud service providers offer HSMs that can be provisioned in their data centers. However, the brand they choose may not be the same brand you use in your corporate data centers. Not all sport the same features, so inseparability can become an issue.
  • Although you may contract with a single cloud provider on your initial move to the cloud, the overwhelming number of companies eventually evolve to multicloud environments, potentially having a different HSM brand or device for each cloud provider.

From the CISO perspective, with all the challenges of cybersecurity across cloud environments and already-overworked data security teams, you want simplification and standardization, not complexity when protecting encryption keys in cloud environments.

Key Management Service – Another Option for Protecting Encryption Keys in Cloud Environments

Many cloud providers offer key management service (KMS) as an alternative to HSMs for protecting encryption keys in cloud environments. With no hardware involved, KMS can be deployed on-demand. However, in multicloud environments, with a different KMS for each cloud, the data security team faces the same issues of complexity in protecting encryption keys.

HSM as a Service – A Better Strategy for Protecting Encryption Keys in a Multicloud Environment

CISOs can meet the challenges of protecting encryption keys in cloud environments using an HSM as a Service strategy. HSM as a Service, available from Equinix as SmartKey and built on Intel Software Guard Extensions (SGX), provides HSM-grade, cloud-neutral encryption key management for cloud environments without the need to install HSM hardware. Delivering equivalent and often better, functionality and capabilities than the HSM or KMS approaches, HSM as a Service:

  • Provides a single, centralized method of protecting encryption keys across major cloud environments, including AWS, Ali Baba, Azure, Google, IBM and Oracle.
  • Supports public, private, hybrid and multicloud environments.
  • Enables quick transition from incumbent HSM solutions through easy assimilation of encryption keys (BYOK) from existing corporate resources or services.
  • Scales horizontally, is highly-available and fault-tolerant to easily accommodate process or geographic growth.
  • Provides RESTful APIs, PKCS#11, CNG, JCE and KMIP interfaces to handle integration with leading public cloud, data services and SaaS application providers.
  • Stores keys close to critical applications at the digital edge, whether in cloud or on-premises to minimize latency.

HSM as a Service brings an added level of security by maintaining encryption keys proximate, but separate from encrypted data. HSM as a Service can be deployed on-premises, at a colocation data center, or at-the-edge, close to cloud and communication service providers.

Protecting Encryption Keys Without Hardware in Cloud Environments

After years of relying on HSMs, data security professionals may be reluctant to trust encryption key management to software alone. That’s understandable, however, an investigation of the Intel SGX technology that underpins HSM as a Service should remove any doubts and confirm the advantages of this approach.

Intel SGX uses private memory regions (enclaves) isolated from all other processes. All-access control, key generation, cryptographic operations, user and application authentication, and logging are done in a protected environment implemented inside enclaves.

Encryption keys are held in an encrypted database when not being used. In use, keys used within an enclave cannot be accessed in plaintext from outside it, either at the software level kernel or hypervisor) or physical level (memory bus).

The result is significantly improved key management security providing the elasticity of modern cloud software and the hardware-based security of an HSM appliance. If you want to delve more deeply into the underlying Intel SGX technology that supports HSM as a Service, we invite you to take a few minutes to review this whitepaper.

Equinix SmartKey Provides HSM as a Service

SmartKey from Equinix provides encryption and tokenization services, secure key storage and cloud scalability to address performance and compliance requirements. SmartKey is accessible on Platform Equinix and through Equinix Cloud Exchange Fabric that directly, securely and dynamically connects distributed infrastructure and digital ecosystems via global, software-defined interconnections.

Larry Hughes
Larry Hughes Business Information Security Officer (BISO)