How to Manage Encryption Keys Across On-Premises and the Cloud

New SmartKey HSM Gateway lets you centrally manage all encryption keys and prepare for migrating keys to the cloud

Shilpa Hallyal

Organizations that manage large volumes of sensitive data, especially government agencies and companies in financial services and healthcare, were understandably slow to start their cloud journeys because of concerns around data security and privacy. Data protection regulations and standards, such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPPA) and Payment Card Industry PCI[i] have had a significant impact on how organizations can handle personal information. Because hardware security modules (HSMs) have historically had higher levels of security than cloud-based encryption key management services (KMS), many of these organizations have relied on HSMs to securely encrypt their data in on-premises data center environments. Now, however, these organizations want and need to benefit from the agility, efficiencies and cost benefits of running applications in the cloud.

Today, highly secure SaaS services like Equinix SmartKey® offer the same level of security as HSMs without the need for appliances. Unfortunately, legacy HSMs – often different brands from different vendors – tend to be spread out across on-premises infrastructure and cannot be migrated directly to the cloud. Further, managing multiple HSMs across a large network has always been a headache, and as organizations add new cloud-based applications and need to rely on a KMS from each cloud service provider (CSP), the headache can quickly turn into an agonizing migraine.

With its new HSM Gateway feature, SmartKey offers the pain relief these organizations need, allowing them to centrally manage all their encryption keys, whether stored in on-premises HSMs, in the cloud or in SmartKey. SmartKey also makes it easy and seamless to migrate key management when an organization is ready to move a legacy application to the cloud.

Security control for all clouds

Equinix SmartKey, a global SaaS-based, secure key management and cryptography service, offered on cloud-neutral Platform Equinix®, simplifies data protection across any cloud architecture.

Read More
SmartKey HSM Gateway offers the pain relief regulated organizations need, allowing them to centrally manage all their encryption keys, whether stored in on-premises HSMs, in the cloud or in SmartKey.

How SmartKey can work for you

Offered in partnership with Fortanix, Equinix SmartKey is a cloud-neutral SaaS solution for globally managing encryption keys for applications, whether the applications run on-premises or in multiple public, private or hybrid clouds. SmartKey separates encryption keys from the data and ensures you keep complete control over your keys. Not even service providers, governments or Equinix have access to them. SmartKey can also provide Federal Information Processing Standard (FIPS) 140-2 Security Level 3 validation without the need for HSM appliances.

SmartKey lets you securely generate, store and use cryptographic keys and certificates, as well as other sensitive information or secrets such as passwords, API keys or tokens. You can generate keys in SmartKey or import your own keys and then use these keys to perform cryptographic operations using REST APIs, PKCS #11, KMIP, JCE, Microsoft CAPI or Microsoft CNG providers, or even a command-line client.

SmartKey frees you from having to buy, deploy and manage appliances. It supports symmetric and asymmetric keys, as well as role-based access to control which users, groups or apps have access to which keys and what operations they can perform with those keys. SmartKey also offers a complete audit trail of key usage.

SmartKey HSM Gateway: Seamless key management throughout your cloud journey

If your organization is in a regulated industry, you have probably built your key management strategy using a pool of HSM appliances, often from different vendors, distributed in multiple, global data centers. This limits your ability to migrate applications to the cloud because they are locked into PKCS #11 or proprietary key management interfaces, and there is no efficient way to continue consuming the on-premises HSMs without adding substantial latency.

SmartKey is the interface for obtaining encryption keys and performing other cryptographic operations, while the cryptographic processes take place on the linked HSMs in the background.

To solve this challenge, SmartKey HSM-Gateway can link physical HSMs to a group in SmartKey. This allows you to use SmartKey as the interface for obtaining encryption keys and performing other cryptographic operations, while the actual cryptographic processes take place on the linked HSMs in the background. SmartKey creates corresponding virtual keys for each on-premises HSM, and all keys are managed, rotated and revoked through the SmartKey web interface or through APIs. Any third-party HSM that supports PKCS #11 can be configured in SmartKey.

Most important, master key material remains in the legacy HSMs, enabling you to maintain regulatory compliance in your current environment. When you’re ready for the next step in your cloud journey, SmartKey also provides a non-disruptive way to migrate keys from the legacy HSMs into SmartKey and shift fully to REST APIs. During key rotation, SmartKey can be selected as the HSM of choice for the new key, and all requests will then be handled by SmartKey. Once all data using the key in the legacy HSM is re-encrypted with a new key in SmartKey, all data will rely on the keys in SmartKey.

The benefits of SmartKey on Platform Equinix

Using SmartKey isn’t just a smart way to facilitate your cloud journey. SmartKey is a global SaaS-based service offered on cloud-neutral Platform Equinix®. This means you don’t have to install or manage hardware, no matter where in the world you want to deploy SmartKey. And with more than 210+ data centers and 55+ metros on Platform Equinix, you can deploy SmartKey close to your applications to minimize latency. SmartKey on Platform Equinix is automatically multi-cloud enabled, providing you with maximum flexibility during your entire cloud journey. Equinix Cloud Exchange Fabric® (ECX Fabric®) also lets you directly and securely extend your infrastructure to digital ecosystems around the world via software-defined interconnection.

Download the SmartKey data sheet and start your free trial today.

You also may want to read:

How to Manage Encryption Keys in a Multicloud Environment

451 Research – Key Management as a Service


[i] Data Protection Legislation around the World in 2020