Multi-Cloud, Hybrid Cloud Security: Options and Flexibility

Multi-cloud and hybrid cloud strategies. The cloud is in the top three IT investment priorities for businesses, according to the newest Flexera survey. In fact, our own David Close, chief solutions architect at Futurex, wrote about how enterprises are commonly using multiple clouds for diversification and to fulfill requirements and regulations in his article, Maintaining Control Over Your Security Infrastructure in a Multi-Cloud World.
“The movement toward broad acceptance of cloud-based encryption and key management will accelerate as more of the pieces come together,” adds Ryan Smith, vice president of global business development at Futurex, in his Help Net Security article outlining cryptographic trends. At Futurex, we have definitely seen organizations become more aggressive with the cloud, especially financial services organizations, that are moving toward payment processing in the cloud.
“Financial services is among the sectors looking to [the] cloud to secure workloads. Sophisticated cyberattacks pushed businesses to shape up cloud security strategies… Hybrid cloud is a popular approach as a way to balance security and cost,” echoes Katie Malone in CIO Dive.

We see these as the top cloud trends this year:

  1. The cloud will play a bigger role in financial services
  2. Increased cloud infrastructure deployments and spending across all industries
  3. Prioritization of security in the cloud
  4. Increased hybrid cloud use for cryptographic needs, such as payment processing
  5. More attention to encryption key management

The Importance of Cloud Security, Encryption Key Security

Cloud security continues to be one of the biggest issues concerning IT departments, with 96% of respondents in a recent survey, The State of Cloud Security 2020, expressing concerns. “A fundamental principle of enterprise security is robust key management and ensuring critical data is protected by well-managed encryption processes, wherever the data resides,” states Close.
It’s vital for enterprises to maintain control of their security infrastructure from end to end, a requirement that has become more complex with the advent of the cloud — and multi-cloud. Since encryption keys are what are used to unlock data, enterprises must maintain control over the keys, and have air-tight protections in place to keep them from becoming compromised in any way.
We know that the core of encryption is key management — hardware security modules (HSMs) — are tasked with managing the lifecycle of encryption keys used across an organization’s entire real estate of applications. Sophisticated key management solutions are essential to any cryptographic operation because encrypted information is only as secure as the encryption keys. If the keys are compromised, then so is the encrypted data. I wrote about this in detail in my recent article, Key Management with Acuity: On-Premises, Cloud, Hybrid, published in Infosecurity.

What About a Hybrid Approach?

When it comes to encryption key management and securing cryptographic infrastructures, there are several options for organizations: on-premises, cloud, or hybrid. Today, we have seen many organizations seeking a hybrid model. They like the combination of physically overseeing their own HSMs plus the accessibility and convenience of the cloud. A hybrid approach, using both on-premises HSMs and cloud HSMs, allows organizations to construct an elastic infrastructure model for scalability, backup, and failover.
In fact, Forrester’s research indicates that 74% of enterprises describe their strategy as hybrid/multi-cloud. A recent CISO Mag roundtable, Gearing for Greatness: The Future of India’s BFSI Ecosystem, gathered financial services organizations to weigh in on hybrid approaches to HSMs. Highlights of the webinar are here.
While there is no one-size-fits-all approach when securing your cryptographic infrastructure, there are increasingly more options especially as cloud providers are giving organizations more flexible options such as retaining control of the keys. Organizations can now shift from one cloud provider to another or embrace a multi-cloud strategy.
I think my colleague, David Close, says it best when he recommends, “Whether it’s managing workloads, handling spikes and surges, providing disaster recovery, holding data at rest, or satisfying audit requirements, having a robust key management system as part of your security infrastructure is ever-critical.”

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Want to centralize and simplify key management functions across multiple clouds, while retaining
control over your data and encryption keys?

Register for our webinar with Encryption Consulting

What You Need to Know About Multi-Cloud Key Management

  • on Wednesday, October 28
  • at 11:00 a.m. CT.


Register Now

What questions should you ask of your cloud provider?

What are critical architectural factors for
implementing cloud key management?

Public cloud vendors

  • Including AWS
  • Google Cloud Platform
  • Microsoft Azure

have their own solutions for encryption key management. While this establishes a high degree of security, organizations lose control over the keys.

Enter BYOK. The industry is trending toward giving customers more control over their cryptographic keys. All of the major cloud vendors now have support for Bring Your Own Key (BYOK), so that organizations can maintain control over the keys used for their data and applications, giving them greater data portability and flexibility. The ability to shift from one cloud provider to another — including multiple cloud providers at once — gives organizations options.

Especially when it comes to managing workloads, handling spikes and surges, and providing disaster recovery — not to mention satisfying audit requirements involving backup or redundancy capabilities.



BYOK allows organizations to encrypt data inside cloud services with their own keys — and maintained within the cloud providers’ vaults — while still continuing to leverage the cloud provider’s native encryption services to protect their data. Win win.

How it works is keys are generated, escrowed, rotated, and retired in an on-premises or cloud hardware security module (HSM). A best practice is to use a FIPS 140-2 Level 3 HSM to more fully address compliance and reporting requirements.

While BYOK offers increased control, it also comes with additional key management responsibilities that are magnified in multi-cloud environments. Every cloud provider has its own set of APIs and its own cryptographic methods for transporting keys. Fundamentally, the processes, procedures and methods for managing keys are completely different across clouds, and not just from an API standpoint, but from architecture and process standpoints with each requiring different key management techniques.

What are best practices for multi-cloud ecosystems?

What are prerequisites for BYOK?

Register for our webinar

What You Need to Know About Multi-Cloud Key Management

to learn about key rotation best practices and how to manage the cryptographic key lifecycle.

Join us — Encryption Consulting and Futurex

  • on Wednesday, October 28
  • at 11:00 a.m. CT.


Register Now

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk