Last updated: 16 May 2016
Your data is only as secure as your encryption scenario.
What does that statement mean to your organization? It’s no secret that protecting cloud data, especially sensitive cloud data, requires various levels of encryption protection. So, if you own your encryption—which gives you the ability to control the who, what, when, where, and how access to your encryption keys—you are likely “living the key-management lifestyle” . . . or are you?
Encryption Key Management: The LifeSTYLE of Managing Your Key LifeCYCLE
The creation, storage, rotation, and deletion of keys are known as the encryption key lifecycle. Because your data is immediately at risk if your encryption keys are accessed by a third party, corrupted, lost, or stolen—managing this cycle with centralized ownership and control is a critical layer of your encryption scenario. But how does an enterprise manage its own keys?
Lifecycles and Laundry
To demonstrate vulnerabilities of a homegrown key management system, let’s examine a scenario that replaces your company’s encryption keys with your favorite pair of Maryland state flag socks. (Yes, where I’m from, a person can be outfitted from head to toe with apparel that features our state flag. It’s a Maryland thing.) Imagine your washing machine as a homegrown key management system.
Scene: The Laundry Room
You’ve just loaded the washer. In the washing machine, your favorite pair of Maryland state flag socks goes through a cycle: they are soaked in warm water, agitated through a mass of soapy suds, rinsed in cold water, and spun dry. When the buzzer signals the end of the cycle, you empty the washer only to find that one of your Maryland state flag socks is missing. You search through the clothes. You examine the washer and search for the black hole. You come to the realization that your Maryland state flag sock . . . is gone.
Just as keeping a pair of prized socks together during a wash cycle can be tricky, key management presents significant challenges for enterprises. Key creation, storage, rotation, and deletion all are important to meeting security requirements, but can complicate the key management process and add to administrative overhead and cost. Outsourcing key management responsibilities means giving your encryption keys to a third party which compromises security and relinquishes control. So, what’s a data owner to do?
Encryption: It’s More than a Code and a Key
Data owners with sensitive information to protect should look for key management solutions that allow you to own the keys, streamline the key lifecycle, and keep keys centralized and available at all times. Homegrown key management solutions offer adequate security for non-sensitive data, but, as in the case of your Maryland state flag socks, the keys are at risk for being stored incorrectly or becoming lost, misplaced, or stolen.
As a best practice, organizations should consider encryption and key management solutions that adhere to NIST 800-57 key management guidelines and support the OASIS Key Management Interoperability Protocol (KMIP). These standards offer flexibility and broad interoperability which enable organizations to centralize the management of cryptographic keys across disparate encryption deployments and provide security, administrative efficiency, and compliance. Another layer of protection for companies whose applications and data are subject to rigorous contractual or regulatory requirements is to secure a root of trust to store keys. The bottom line is that cryptographic keys can be securely generated, stored, and managed in the cloud so that they are accessible only by the organization and never by the cloud provider. It’s a great option for securing your keys (and your favorite Maryland state flag socks).
SafeNet Encryption Solutions for the AWS Cloud Environment
Gemalto offers a range of solutions for the AWS cloud environment—from virtual security appliances to tamper-proof hardware appliances—that allow organizations to demonstrate compliance with the strictest information regulations, such as PCI DSS, HIPAA, CJIS, BASEL II, SOX (Sarbanes-Oxley), and GLBA. Whether an organization keeps their data in a virtual machine in an AWS environment or uses AWS S3 to store data, Gemalto can help address the critical requirements of the security regulations.
For more information on taking ownership of your encryption and encryption keys in the cloud, watch our on-demand webinar, Trusted Crypto in the Cloud: Best Practices for Key Ownership and Control.