The use of public cloud services (e.g., AWS, Azure, GCP) has become increasingly prevalent, with more and more companies opting to use these services either fully or partially instead of running services in their own data centers. In cloud migration, it's essential to consider data protection issues from the perspectives of data privacy, resilience, legislation, and compliance. Encrypting data provides a control mechanism for these challenges, but key management should be carefully planned from the outset.
Cloud Key Management Services (KMS)
Public cloud services offer their own solution for key management, enabling robust key management for applications using them. By using the cloud provider's own KMS (Key Management Service), access rights, audit logging, and key material storage can be consistently implemented for these applications. Additionally, there are solutions available for key material storage that support more robust encryption than simple software-based encryption, such as Azure's Managed HSM service, which provides protection up to FIPS 140-2 Level 3.
Is it sufficient to trust cloud key management solutions for protecting personal data or critical business information? The fundamental principle is that the responsibility for data taken to the cloud always lies with the customer. Regarding personal data, relevant legislation, such as GDPR, must be considered. Legislation regarding the processing of personal data in cloud services has also undergone changes, and it's difficult to predict what level will be considered sufficient in the future—likely, further changes will occur. A more sustainable solution to this problem is to take control of the keys, as cybercriminals pursuing critical information won't stop at legal barriers.
The primary problem with the cloud-native key management services is that both the data and the keys used for its protection reside in the same cloud environment. If hardware-based solutions (HSM) provided by cloud services are used, it may not be easy to export keys from them. This can cause problems, for example, in situations where there is a need to change to another cloud platform or to repatriate services, which is especially important in terms of resilience, particularly in the financial sector.
Opportunities brought by external key management services
External key management is an option for gaining better control over data taken to cloud services. The principle is to separate the protected data and the keys used for encryption into independent, separate services. Such an external key management service also facilitates easier transition between cloud platforms and one's own data center services if key management is implemented in a unified, platform-independent manner.
Bring Your Own Key (BYOK) is a model where a key created in an external service is brought into the cloud's key management service. This separates the key creation process from the cloud service, and a backup of the key is made to the external service, enabling recovery from issues and easier platform switching, thus providing control over key management, although there still is reliance on the cloud provider's key management service (KMS). The advantage is that cloud-native applications require no changes and can use the BYOK key just like a key created in the cloud's KMS, with BYOK key adoption being straightforward. The BYOK model is supported in AWS, Azure, and Google cloud services, among others.
Hold Your Own Key (HYOK) provides additional control over key usage. In this model, the key resides solely in an external key management service, and using the key requires a connection to the external cloud service. In this model, the keys and the protected data are completely separated. An advantage is also that the external cloud service can be used for logging key usage and managing access rights. In HYOK implementation, it should be noted that applications require a reliable connection, and the latency caused by the external service may affect application performance if keys are heavily used. The HYOK model is supported in AWS and Google cloud services, among others.
Application-specific encryption is the most flexible and offers the best control over encryption for both on-premises services and cloud services. Encryption is implemented at the application level, such as encrypting a database using the encryption function provided by the database engine with an external key or the application's own interface. The implementation does not rely on cloud service key management, so it is not dependent on it either. The key material is entirely under one's control, and the external cloud service can be used for logging key usage and managing access rights. It is also possible to encrypt just a part of the data using data tokenization or masking.
Even the best encryption doesn't provide added value if the keys used are lost, too widely available, or their use cannot be audited. Therefore, key management should be able to meet these needs. It's also highly likely that security requirements and technical capabilities mean that there is no one-size-fits-all best solution. Insta's key management, PKI, and privacy experts can help with these challenges, so get in touch, and let's find the most suitable solution for your needs.
Manage your encryption keys with Insta Key Vault service
Mika Suvanto
Chief Security Specialist, Insta Advance, firstname.lastname (at) insta.fi
