High-grade encryption is table stakes for financial services companies. Keeping customer data safe is critical and the consequences of inadvertent disclosure are substantial. Financial firms have honed their on-premises data protection practices for decades, but things can get tricky in the cloud.
Powerful encryption is only part of the data protection equation. The best encryption algorithm in the world is useless if the key is compromised. The best approach for financial services firms is to protect their encryption keys using a hardware security module (HSM), which is a physical trusted computer on the network that performs such cryptographic operations as key management and encryption. This technique is relatively straightforward to employ in a company’s own data center.
It’s not a simple proposition in the cloud, though. Installing and maintaining secure hardware in the cloud provider’s physical location is awkward at best. Most providers will host an HSM on site, but many financial services firms have understandable reservations about giving up control of such a sensitive component of their security. Things get even more complex when multiple physical data centers are involved, as is the case with all major cloud infrastructure providers. When a customer uses multiple cloud providers around the globe, managing HSMs and keys becomes all but impractical.
An alternative is to use multi-tenant, cloud-based key management services (KMS). In that “bring your own key” (BYOK) scenario, customers manage the lifecycle of the encryption keys (like creation, deletion and rotation) while the cloud provider maintains possession of the HSMs that secure those keys. Cloud-based KMS provides portability across regions as well as the benefits of scalability and high availability that are native to the cloud.
IBM Cloud for Financial Services™
This paper explains how IBM Cloud for Financial Services can help your organization fully realize the benefits of public cloud without compromising security and regulatory compliance.
Download NowThat solution does not necessarily give the customer full control, however. Privacy regulations in some parts of the world require cloud providers to permit access to customer data if demanded by regulators, in some cases even without the customer’s consent. If the cloud provider controls the underlying HSMs that protect the encryption keys, that decision is effectively out of the customer’s hands. Finally, the security strength of the HSM itself is important to assess, so that no one can tamper with the hardware and gain malicious access to the keys within it.
The safest and most secure solution for financial services customers is to retain full control of encryption keys without the possibility of compromise by anyone outside the organization. This can be accomplished with a single-tenant KMS with key vaulting provided by dedicated customer-controlled HSMs. Customers can thus keep their own keys with all key management and operations performed within a secure system that only they control. The cloud provider never has access to the HSM or keys, and so can’t be forced to disclose customer information.
To initialize or manage an HSM, banks perform a well-governed key exchange ceremony in which two or more key custodians participate. Conducting the key exchange ceremony through a cloud native command-line interface combines the best security practices with the cloud-native user experience. Look for a FIPS 140-2 Level 4 security certification, which is the highest level of the Federal Information Processing Standards, providing for erasure of HSM contents in the case of an environmental attack.
The best integrated cloud solution provides a “keep your own key” (KYOK) KMS. For example, the IBM Cloud Hyper Protect Crypto Services enables encryption of data used across the cloud stack: at the hypervisor, storage and data services and from the application itself. It also permits developers to use the same encryption and decryption process at the application level as when data is committed to databases or storage systems. Customer data can never be exposed inadvertently.
For a further level of protection, look for providers who offer tamper-proof database-as-a-service in the cloud along with virtual servers and container environments supporting confidential computing. This provides built-in data encryption along with cloud-native scalability and performance. As with encryption, the cloud provider never has access to the data or keys.
Moving to the cloud shouldn’t mean risking the integrity of financial services firms’ most precious asset, which is customer data. Choosing the right cloud partner ensures that it doesn’t have to.
