nCipher Security Blog

High-security cryptographic key management for the hybrid-cloud user

Edlyn Teske | Cryptomathic More About This Author >

When migrating business-critical applications and cryptography to the cloud, banks and financial institutions face a number of concerns. The push to adopt cloud computing for the sake of efficiency and innovation must be balanced with the responsibility to protect sensitive data and processes.

Leaving the protection of data to the cloud provider, with cloud-based key management – and with the cloud provider in physical control of the encryption keys – has flaws:

  • Data may be exposed to personnel at the hosting provider, or to third parties such as nation states or cybercriminals.
  • Future switching of cloud providers is costly and tedious, and could potentially lead to data loss.
  • Using hybrid-cloud environments or adding SaaS provided by a different service provider adds complication.
  • Demonstrating compliance to security standards (e.g. PCI) can be hard when the cryptography and keys are out of the bank’s control.

For these reasons, banks and financial institutions must retain centralized control over the cryptographic keys used for the hybrid-cloud. After all, banking and financial transactions are ultimately comprised of cryptographic functions, and ownership of a set of keys completely defines a bank’s online existence.

Bring Your Own Key (BYOK) for cloud encryption

BYOK solutions enable cloud users to independently generate, back up and submit their own encryption keys. This addresses the aforementioned concerns, however, BYOK solutions have their own downsides:

  • Loss or error could prevent a business from decrypting its own data. If a key is lost or stolen, the cloud service provider is powerless to assist.
  • The user’s back-up process must itself be subject to high-security measures to prevent theft of the encryption keys.
  • Security-best-practice demands that each individual cloud service has its own unique key. Firms will use a variety of keys and distribute their data between several providers. A complex and multi-faceted BYOK challenge presents itself.

In summary, a BYOK approach is an important step towards secure cloud adoption, however in a highly regulated environment it is not enough.

Centralized control of the key lifecycle for the cloud: MYOK.

The demand to benefit from the cloud’s flexible and on-demand services while maintaining a banking-grade level of cryptographic security is answered by the Manage-Your-Own-Key (MYOK) model. A MYOK system:

  • Enables users to control and manage the entire life cycle of their own and unique portfolio of keys: generating, storing, deploying, retrieving, backing-up, revoking and updating as they go
  • Enables users to create and manage keys to address a multitude of different cloud models with cryptography
  • Arms users with the capability to expand their use of encryption to secure data.

Cryptomathic’s Crypto Key Management System (CKMS) delivers the MYOK model for strong cryptography in the hybrid-cloud and provides a host of key management functionalities and supports different cloud platforms, including the BYOK schemes implemented by AWS, Google Cloud, and MS Azure. To learn more, register for our webinar: “Key Management for the Hybrid Cloud” on May 21 at 2pm EDT.