Essential Guide

Combat the latest cloud security challenges and risks

A comprehensive collection of articles, videos and more, hand-picked by our editors

Cloud encryption key management becomes table stakes

Encryption key management has become table stakes for cloud vendors, but bringing your own key isn't always the right move.

The ability to bring your own encryption keys is fast becoming ubiquitous in public cloud, but that doesn't mean...

IT pros should retain control.

Security concerns and data center oversight are two primary hang-ups for IT shops averse to adopting public cloud. Amazon became the first major infrastructure as a service (IaaS) vendor to offer bring your own key encryption in 2014 as an answer to some of those critiques. Over the past few weeks, Microsoft and Google have also advanced their cloud encryption key management capabilities.

Vendors at every layer of the cloud stack have added encryption capabilities, and, eventually, all cloud vendors will offer some form of encryption and key management, said Garrett Bekker, senior security analyst with 451 Research LLC, based in New York. Some vendors will opt to do it natively, while others will pass the control to customers so they can check off that box on their list of capabilities, Bekker said.

"It comes down to how important it is for customers to control the keys," Bekker said. "My guess is a lot of customers will be OK with letting service providers control the keys, but it depends on what the data is, what you're using it for, and what industry and regulatory compliance you face."

And business considerations will affect vendor services, too, with a company such as Google that lags in the market offering key management for free. Other companies like Salesforce.com that need to generate new revenue streams offer native encryption as a premium service.

To key or not to key?

Encryption is considered central to data protection in the cloud, but who should retain its control?

SunGard Financial Systems, which partners with Google to build a big data processing prototype for the U.S. Securities and Exchange Commission, uses Customer-Supplied Encryption Keys for compute resources on Google Compute Engine. The free tool for bringing your own keys became available in beta last week, and it's essential from a risk and regulatory control perspective for this project, said Neil Palmer, CTO at SunGard Consulting Services, based in Wayne, Pa.

It comes down to how important it is for customers to control the keys. My guess is a lot of customers will be OK with letting service providers control the keys, but it depends on what the data is, what you're using it for and what industry and regulatory compliance you face.
Garrett Bekkersenior security analyst, 451 Research LLC

All data in the cloud should be encrypted anyway, but the ability to bring your own keys is one of those additions that should help enterprise adoption and increase the ways those customers use public cloud, Palmer said. Still, SunGard doesn't bring its own keys to every project, so it's a matter of weighing if and when key management is the best fit.

"It's just a question from a perspective of effort, time, integration, etc.," Palmer said. "There's a return on investment around key management required, so if you're BuzzFeed or one of the big media Internet sites, maybe not so much. But if you're healthcare or government work, you may need it."

Microsoft Azure Key Vault, which became generally available last month, can be used as a standalone service and allows customers to import keys from their own hardware security modules (HSMs). Microsoft charges $0.03 per 10,000 operations for software-protected keys and an additional $1 per month per key for HSM protected keys.

Similarly, Amazon Web Services (AWS) Key Management Services charges $0.03 per 10,000 requests and $1 per month per each key that is created and active. Amazon also has CloudHSM, a dedicated HSM appliance that costs $5,000 for each instance, in addition to an hourly fee of $1.88 for as long as the instance is running.

Cloud encryption key management is difficult, and bringing your own keys to a service someone else owns is a non-trivial endeavor that goes against one of the cloud's main advantages of not having to worry about these sorts of things, said Adrian Sanabria, senior security analyst at 451 Research.

"You've got to somehow own the keys and manage to inject them into workloads without exposing them to the cloud provider," Sanabria said. "It is a compromise, where you can't be 100% cloud if you want to manage your own keys."

Public perception about cloud security and regulatory environments with antiquated requirements both play a role for the need for key management, but the point could be moot in five years' time, as customers start to trust large public cloud providers as good stewards of keys, said Leonard Law, a product manager for Google Cloud Platform.

"As people are transitioning from on-premises to the cloud, there's this notion of control. So by managing your own custom keys that gives customers a lot of peace of mind, but ultimately, it's just less necessary," Law said.

Trevor Jones is a news writer for TechTarget’s Data Center and Virtualization Media Group. Contact him at tjones@techtarget.com.

Next Steps

Why data encryption is a cloud necessity

Use centralized cloud data encryption as a security blanket

Compliance, data protection warrant encryption

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What is your enterprise's cloud encryption key management strategy?
Cancel

Current Strategy:  Reactive key management tool deployment = no strategy. 

Future Strategy:  Find and deploy a key management tool set that is independent of any particular cloud vendor; Hybrid, ubiquitous, and centralized.

Cancel
Having tools to help a customer manage the keys in a secure, responsible way can be very valuable. But letting the cloud provider own and manage the keys opens up the businses to many new risks (disgruntled cloud-provider employees, government seizures, large-scale hacking, etc). Definitely worth spending time understanding their management policies and your options if those keys are lost/stolen/compromised. 
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchVMware

SearchVirtualDesktop

SearchAWS

SearchDataCenter

SearchWindowsServer

SearchSOA

SearchCRM

Close