Maintaining Control Over Your Security Infrastructure in a Multi-Cloud World – Infosecurity Magazine

A fundamental principle of enterprise security is robust key management and ensuring critical data is protected by well-managed encryption processes, wherever the data resides.

It is vital that enterprises maintain responsibility and control for their security infrastructure from end to end, a requirement that has become more complex with the advent of the cloud. Since encryption keys are what are used to unlock data, enterprises must maintain control over the keys, and have air-tight protections in place to keep them from becoming compromised in any way.

Multi-cloud use is trending

Over this past year, we have seen more organizations moving their data to the cloud, especially financial services organizations. The movement toward broader acceptance of cloud-based encryption and key management will continue to accelerate.

Enterprises are commonly utilizing multiple clouds for diversification and to fulfill requirements and regulations, coming from applications and organizational units.

As enterprises move greater volumes of their computing workloads to public clouds, encryption key management is increasing in importance. Enterprises expect cloud providers to maintain a robust key management service that includes cryptographic APIs.

Every cloud provider has its own set of APIs and its own cryptographic methods for transporting keys, which adds to the complexity of management. As a result, the processes, procedures, and methods for managing keys are different across clouds, and not just from an API standpoint, but from architecture and process standpoints.

Public cloud vendors including AWS, Google Cloud Platform, and Microsoft Azure have been making significant progress with data access, key management, and data retention policies, but there is no one size fits all at this point.

Why is it important for organizations to retain control of the keys?

One method gaining popularity is Bring Your Own Key (BYOK), which allows organizations to encrypt data inside cloud services with their own keys maintained within the cloud providers vaults while still continuing to leverage the cloud provider's native encryption services to protect their data.

Keys are generated, escrowed, rotated, and retired in an on-premises or cloud hardware security module (HSM). A best practice is to use a FIPS 140-2 Level 3 HSM to more fully address compliance and reporting requirements.

While BYOK, offers increased control, it also comes with additional key management responsibilities that are magnified in multi-cloud environments: it falls to each organization to maintain an inventory of all keys used, either directly in the enterprise, or in the cloud. To facilitate this effort, the latest enterprise key management systems that natively integrate with the cloud provider infrastructure are becoming available and can save time and money while ensure consistent key management practices.

When exploring the use of key management solutions, ensure that you are following the best practices for centralizing and simplifying key management functions with multi-cloud ecosystems:

Questions organizations should ask of their cloud provider:

As we head into 2021, the information security industry is trending toward more options and flexibility. When it comes to the cloud, organizations are increasingly gaining more control over their cryptographic keys, even to the point where they can shift from one cloud provider to another.

Whether its managing workloads, handling spikes and surges, providing disaster recovery, holding data at rest, or satisfying audit requirements, having a robust key management system as part of your security infrastructure is ever-critical particularly in a multi-cloud world.

Read more:
Maintaining Control Over Your Security Infrastructure in a Multi-Cloud World - Infosecurity Magazine