Last updated: 06 November 2018
In today’s always-connected world, an increasing number of organisations are moving their data to the cloud for operational efficiency, cost management, agility, scalability, etc.
As more data is produced, processed, and stored in the cloud – a prime target for cybercriminals who are always lurking around to lay their hands on organisations’ sensitive data – protecting the sensitive data that resides on the cloud becomes imperative.
While most Cloud Service Providers (CSPs) have already deployed strong front line defense systems like firewalls, anti-virus, anti-malware, intrusion detection, etc. to thwart malicious attacks, sophisticated hackers are breaching them with surprising ease today. And once a hacker gains an inside entry by breaching the CSP’s perimeter defenses, there is hardly anything that can be done to stop him from accessing an organisation’s sensitive data. Which is why more and more organisations are encrypting their cloud data today as a critical last line of defense against cyber attacks.
Data Encryption Is Not Enough
While data encryption definitely acts as a strong deterrence, merely encrypting the data is not enough in today’s perilous times where cyber attacks are getting more sophisticated with every passing day. Since the data physically resides with the CSP, it is out of the direct control of the organisations that own the data.
In a scenario like this where organisations encrypt their cloud data, storing the encryption keys securely and separately from the encrypted data is of paramount importance.
To ensure optimal protection of their data in the cloud, an increasing number of organisations are adopting a Bring Your Own Key (BYOK) approach that enables them to securely create and manage their own encryption keys, separate from the CSP’s where their sensitive data is being hosted.
However, as more encryption keys are created for an increasing number of cloud environments like Microsoft Azure, Amazon Web Services (AWS), Salesforce, etc., efficiently managing the encryption keys of individual cloud applications and securing the access, becomes very important. Which is why many organisations use External Key Management (EKM) solutions to cohesively manage all their encryption keys in a secure manner that is bereft of any unauthorised access.
Take the example of Office 365, Microsoft’s on-demand cloud application that is widely used by organisations across the globe to support employee mobility by facilitating anytime, anywhere access to Microsoft’s email application – MS Outlook and business utility applications like MS Word, Excel, PowerPoint, etc.
Gemalto’s BYOK solutions (SafeNet ProtectApp and SafeNet KeySecure) for Office 365 not only ensure that organisations have complete control over their encrypted cloud data, but also seamlessly facilitate efficient management of the encryption keys of other cloud applications like Azure, AWS, Google Cloud and Salesforce.
Below is a quick snapshot of how SafeNet ProtectApp and SafeNet KeySecure seamlessly work with Azure BYOK:
To elaborate, below is the step-by-step process of how this works:
1. SafeNet ProtectApp and KeySecure are used to generate a RSA Key Pair or required Key size using the FIPS 140-2 certified RNG of KeySecure.
2. A Self-SignedCertificateUtility.jar (which is a Java-based application) then interacts with KeySecure using a TLS-protected NAE service to fetch the Key Pair and create a Self-signed Certificate.
3. The Key Pair and Self-signed Certificate are stored securely in a PFX or P12 container that encrypts the contents using a Password-based Encryption (PBE) Key.
4. The PFX file (which is an encrypted container using a PBE Key) is then uploaded on Azure Key Vault using Azure Web API / Rest.
5. The transmission of the PFX file to the Azure Key Vault is protected using security mechanisms implemented by Azure on their Web API (TLS / SSL, etc.).
7. Since the PFX files will be located on the same system on which the SelfSignedCertificateUtility.jar utility will be executed, industry-best security practices like ensuring pre-boot approval, enabling two-factor authentication (2FA), etc. should be followed.
8. Once the Keys are loaded on Azure Key Vault, all encryption operations happen on Azure platform itself.
To Sum It Up
As technology evolves, so do cybercriminals, and merely encrypting data no longer guarantees foolproof data protection today. While encrypting their sensitive cloud data, organisations must bear in mind that securing and managing the encryption keys is as important as the encryption itself.
To prevent unauthorized access and ensure that the encryption keys don’t fall in the wrong hands, cybersecurity experts unanimously recommend the use of Hardware Security Module (HSM) devices to securely store the encryption keys.
Since encryption keys pass through multiple phases during their lifetime – like generation, storage, distribution, backup, rotation and destruction, efficiently managing these keys at each and every stage of their lifecycle becomes important. A secure and centralized key management solution is critical.
Gemalto’s SafeNet KeySecure offers organisations a robust centralized platform that seamlessly manages all encryption keys. Below are some key benefits that make SafeNet KeySecure a preferred choice for organisations across the globe:
1. Heterogeneous key management – helps in seamlessly managing multiple encryption keys at each stage of their lifecycle.
2. Logging and auditing – helps in storing audit trails that can be analyzed by using any leading SIEM tools.
3. Centralized management console – helps in assigning administrator roles according to the scope of their responsibilities.
4. High Interoperability – supports a broad ecosystem of respected technology partners using the OASIS KMIP standard
5. Reduces the overall cost of data security by offering automated operations.
Learn more about how Gemalto’s suite of cloud security solutions can help your organization fully secure your data in the cloud.