Managing Database Credentials Securely with HSM as a Service

How Equinix SmartKey KMS simplifies secure key management in the cloud

Christian Melendez
Gautam Roy
Managing Database Credentials Securely with HSM as a Service

Providing credentials securely to our applications helps reduce the risk of a data breach. However, you need to ensure that applications are using database credentials in a secure fashion. Even if you’re relying heavily on the configuration management systems, you never know who might gain access to your passwords and database. Therefore, encrypting those credentials is a must-have, even if your company’s data exchange remains internal.

At the same time, it’s important to keep the encryption process simple enough to support modern application development in a continuous delivery pipeline. When you use a third-party service like a Hardware Security Module (HSM) as-a-service to manage encryption operations, you limit the risk of leaking important data from your systems without disrupting the development pipeline.

We will also explore the best practices for using an external key manager to physically separate keys across providers.

Security control for all clouds

Equinix SmartKey, a global SaaS-based, secure key management and cryptography service, offered on cloud-neutral Platform Equinix®, simplifies data protection across any cloud architecture.

Learn More
smartkey-security-thumb-300x270

Separating encryption keys from your data

Ideally, you want to keep your encryption keys separate from the data you would like to encrypt. If you want to block access to your house, you wouldn’t leave the keys next to the front door. The same principle applies to your encryption keys. If an attacker can access your network (perhaps due to a vulnerability in your systems), you don’t want them to see the credentials in plain text. To prevent this, you could encrypt the credentials you use to access your databases.

Here’s how an HSM can help keep your credentials secure.

How an HSM-as-a-Service keeps database credentials safer

An HSM is a physical computing device used for safeguarding and managing digital keys. It also performs encryption and decryption functions for digital signatures, authentication and other cryptographic functions. You don’t need to have access to the private keys to manage these functions since the HSM can do it for every cryptographic operation you need. You send data and, if you’re authenticated, the HSM will retrieve encrypted or decrypted information. Additionally, you can audit every call made so that you can monitor any strange activity, a requirement for regulatory compliance.

Equinix SmartKey® is a SaaS-based HSM service that provides secure key management and cryptography, simplifying the provisioning and control of encryption keys. Having both keys and data with a single cloud service provider (CSP) can be a risk. Even if your systems are running in a CSP environment that provides you with an encryption service where you can upload custom keys, the encryption keys are still near your data and under the physical control of the CSP. For heightened security, it is better to decouple your encryption keys and your data, keeping them in a separate location.

Let’s discuss a use case, where this is being achieved with Equinix SmartKey and Google Cloud.

Leveraging SmartKey integration with Google Cloud

With a cloud-based key management service (KMS), both the customer data and the keys are with the same CSP. This curbs the migration of applications that process and store sensitive data because it increases the risk of cyberattacks because both data and encryption keys are on the same public cloud platform.

You can now use Equinix SmartKey as the external key manager integrated with Google Cloud Big Query and Compute Engine for key management and cryptographic operations. This gives businesses sole ownership of their keys and full control over their access. In addition to built-in integrations with Google Cloud Platform (GCP), Equinix SmartKey is offered as a SaaS service, simplifying deployments even further.

Equinix SmartKey with Google Cloud Integration

Also, provisioning and using keys in FIPS 140-2 Level 3 Certified HSMs is easy with Equinix SmartKey. With complete control over the location of your keys and their distribution and access, you can now process and store your data in the cloud securely.

Equinix SmartKey is a SaaS-based HSM service that provides secure key management and cryptography, simplifying provisioning and control of encryption keys."

Simplifying Cryptographic operations flow with Equinix SmartKey

Finally, we’d like to provide a step-by-step example of how you can setup Equinix SmartKey to secure database credentials. It doesn’t really matter where your applications are running because Equinix SmartKey is cloud-neutral. However, we recommend having private, direct, and secure interconnection through Equinix FabricTM and Network Edge to limit the risk that the public internet could bring.

This scenario assumes you have automation in place to deploy application software that includes a placeholder for database credentials. The workflow would be like the following using Equinix SmartKey:

  1. Generate a temporary SmartKey API key to interact with our REST API
  2. Configure a deployment pipeline to receive a SmartKey API key parameter
  3. Configure the SmartKey command-line interface (CLI) to use the proper API key
  4. Retrieve from a configuration management system the encrypted database credentials
  5. Insert the encrypted databased credentials into the credential’s placeholder in the application
  6. Deploy the application to the destination servers
  7. Decrypt the database credentials using the SmartKey CLI in the destination server
  8. Delete the temporary SmartKey API key

It won’t matter if an attacker can access the SmartKey API key because it is timebound, and you’re going to use it only once. If you need more help and guidance on implementing a workflow like the one above, don’t hesitate to contact us as we are happy to help.

Equinix SmartKey® simplifies provisioning and use of keys in FIPS 140-2 Level 3 Certified HSMs."

Increasing and simplifying security with an HSM-as-a-Service

You can increase your security by protecting database credentials and any sensitive information you have in your systems by using Equinix SmartKey. When you encrypt data with an HSM-as-a-Service, you limit the exposure of the data your systems store.

And since Equinix SmartKey can act as an External Key Manager (EKM) with Google Cloud services such as Big Query or Compute Engine, you can also use it to seamlessly secure your data on Google Cloud. This gives you the benefit of centralized key management with complete control over the location, distribution and access to your keys while you process and store your data in the cloud.

Learn more about gaining more about gaining control of your encryption keys with Equinix SmartKey.

You can also download the Equinix SmartKey data sheet to find out how to simplify data protection across any cloud architecture.

You may also want to check out:
451 Research – Key Management as a Service

You can increase your security by protecting database credentials and any sensitive information you have in your systems by using Equinix SmartKey."