Budgeting for Data Security Management in 2020 – Spend Wisely on Encryption Key Management

Data security professionals have three main options when designing and deploying an enterprise encryption key management strategy: 1) Choose the traditional hardware security module (HSM) approach; 2) Opt for a key management service (KMS) that most leading cloud providers offer; and 3) Select an HSM as a Service approach. Each of these options has pros and cons that influence budgeting for data security management.

As enterprises evolve from a single cloud provider to the now-normal multicloud environments that rely on an increasing number of interconnections among clouds, the result is often a mix of encryption key management solutions that contribute to management complexity. At a time when CSOs are looking for simplicity and consistency in data security management, there’s a good reason to revisit encryption key strategy and its impact on budgeting for data security management.

Budgeting for Data Security Management

A brief review of the options can provide useful guidance in helping data security teams plan and budget accordingly as their cloud strategy evolves.

Start Your Free Trial of Equinix SmartKey™

Equinix SmartKey, a global SaaS-based, secure key management and cryptography service, offered on cloud-neutral Platform Equinix™, simplifies data protection across any cloud architecture.

Read More

Comparing HSM, KMS and HSM as a Service

Hardware Security Module (HSM)

Tamper-proof hardware modules are available as a plug-in card, an external device attached directly to a computer, or a specialized server. An HSM contains cryptoprocessing chips to protect cryptographic keys, provide data encryption, signing and authentication services.

Selection: Multiple established brands—Gemalto, HP, IBM, Thales and Utimaco. Procurement: Days to weeks, depending on supply chain efficiency.

Implementation: Remote implementation requires on-site technicians. When using a cloud provider service, the provider determines the HSM brand(s).

Budgeting considerations: HSMs are hardware procurement CapEx items. Procurement problems can delay deployment and may impact time to market for new applications or services. HSMs offered by cloud service providers can be implemented without delays. The variety of HSM brands (and different management interfaces) needed to encrypt data across multiple cloud providers and geographies counter the need for simplicity and consistency in data security management.

Key Management Service (KMS)

A software-based approach, sometimes underpinned by HSMs (already installed in the cloud provider’s data center), providing centralized key management and scalability for data stored in a cloud provider’s data center.

Selection: Major cloud service providers—AWS, Azure, Google and Oracle offer a KMS solution.

Procurement: Immediate self-service access to the cloud service eliminates any delays. No hardware procurement involved.

Implementation: Cloud-speed on-demand deployment with configuration via management UI

Budgeting considerations: Enterprises using only a single cloud provider may find the KMS ideal for their needs. Pay-as-you-go models offer predictable OpEx costs, paying only for resources used. Centralized encryption key management, single management tool, native integration with many other cloud services offered. Data security teams in enterprises using multiple cloud providers will need to learn different management interfaces for each KMS. Deployment simplicity is countered by management complexity.

HSM as a Service

SaaS-based, secure key management and cryptography service for major cloud environments like AWS, Azure, Google, Oracle and Salesforce. It provides HSM-level security without the need to procure HSM devices. Scales easily and globally to protect data in public, private, hybrid or multicloud environments

Selection: A unique solution available from Equinix.

Procurement: Immediate self-service access to the cloud service eliminates any delays. No hardware procurement involved.

Implementation: On-demand deployment in minutes, located proximate to encrypted cloud data to minimize latency. Configuration via management UI.

Budgeting considerations: For enterprises managing hybrid or multiple cloud environments HSM as a Service offers a single, centralized means to manage encryption keys across major cloud providers. This consumption model offers predictable OpEx costs, paying only for resources used. It simplifies deployment and eliminates the complexity and inefficiency of using different solutions for different cloud environments.

Which option meets strategy and budget requirements?

What are the best strategies for consistently managing data security across multiple cloud environments and widely distributed IT resources? Enterprises looking for better means of managing encryption keys should take a holistic approach as part of budgeting for data security management. A few questions can help determine which approach meets both strategy and budget requirements.

  • How many different solutions are currently used to manage encryption keys?
  • What are the annual CapEx and OpEx costs for these solutions?
  • Does it make economic sense to replace HSM devices with “as a service” alternatives?
  • How quickly or how frequently do you need to deploy encryption key management for new applications or support in new geographies? Have past deployment delays impacted time-to-market?
  • Which encryption key management solution reduces the workload of your data security team?

Although data security teams may already possess technical knowledge of one or more HSM devices, consistent, timely deployment across hybrid and multicloud environments cannot be achieved using traditional HSMs. KMS solves the problem of timely deployment, but the solution becomes complex when each cloud provider offers a different KMS and does not offer the level of security of an HSM.

SmartKey is HSM as a Service

HSM as a Service is available as SmartKey™ from Equinix. SmartKey provides secure key storage, encryption and tokenization services to protect data in public, private, hybrid or multicloud environments. SmartKey provides RESTful APIs and supports standard interfaces such as PKCS#11, KMIP, JCE, and CNG. Key access is restricted to authorized owners, protecting against insider attacks and exposure in shared cloud infrastructures.

SmartKey, hosted on Platform Equinix, simplifies the provisioning and control of encryption keys, giving enterprises a single, efficient method to deploy and manage the entire encryption key lifecycle. When budgeting for data security management in 2020, a single, consistent approach to encryption key management is a wise investment to enhance security and simplify operations.