Page 71 – Encryption Consulting

PKI – Digital Trends Driving Usage

Understanding PKI and the Trends Driving Its Growth

Public key infrastructure (PKI) is a system for the creation, storage, and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity. The PKI creates digital certificates which map public keys to entities, securely stores these certificates in a central repository and revokes them if needed. The adoption of PKI has increased steadily over the years, with most analysts predicting 15% – 20% growth rates between now and 2024-2025. The broad reason for the steady adoption is not surprising: the increased digitalization of enterprises, consumers and society. However, since digitalization often means different things to different people, we look at some specific trends in digitization that are driving PKI usage and adoption.

The Internet of Things (IOT): The IOT is emerging as one of the major factors driving PKI adoption. The number of connected devices already exceeds the number of human beings on the planet, and even conservative predictions indicate around 50 billion connected devices likely to be in place over the next five years. The proliferation of IOT devices along with the associated threats such as altering a device function, means that significant efforts are needed for IOT vulnerability management. PKI is expected to play a major role here since these devices will primarily rely on digital certificates for identification and authentication.
Cloud applications and services: Cloud usage is truly mainstream today: A recent report from Flexera indicates that 94% of enterprises today leverage some form of cloud (public, private, hybrid) services. With organizations moving an increasing number of workloads to the cloud, the need for PKI credentials for cloud-based applications is going up correspondingly. Another overlap area between PKI and cloud technology is Certificate Authority (CA) services. These could be a public CA service such as those available from companies like Comodo, Symantec or GoDaddy; or they could be a private CA running in a public cloud; or a private CA running in a private cloud.
Mobile applications: Smartphones and mobile applications are ubiquitous today. Both consumer mobile applications as well as enterprise mobility (e.g. BYOD or Bring Your Own Device) scenarios are driving PKI usage. No one can argue against the productivity gains and convenience workforce mobility provides. However, the challenges of mobile device management, especially from an authentication and data security perspective are often underestimated. Enterprises need a reliable method to verify the mobile user’s identity, validate the device itself, and secure the information through encryption. This is where digital certificates and PKI plays a big role.
E-Commerce and web: One sector where the impact of digital disruptions has been extremely widespread, is retail. Online shopping has been a game changer for the retail industry. And though E-commerce sales are still under 20% of overall retail sales, every retailer today, big or small, needs to have an e-commerce presence. Also, the minute payments and financial transactions are involved, authentication and encryption services become critical. Over the years, one of the key enablers for the boom in the E-commerce industry has been PKI and Secure Sockets Layer (SSL) certificates, which have ensured the safety of online transactions. In general, security on the web has become such a necessity today that SSL support is now becoming de-facto for any website, not just e-commerce. Most major browsers immediately flag a website as “not secure” in the address bar, if an SSL certificate is not available. SSL also has a direct impact on search engine rankings – unsecure web sites typically rank lower than those using SSL. Apart from these, other trends driving increased PKI adoption across enterprises today include initiatives related to risk management, cost reduction, and compliance to the regulatory environment (such as digital signature legislations). One thing is clear – in an increasingly digitalized world, PKI literally holds the key to ensuring safe and secure transactions for enterprises and consumers worldwide.

2019 Rightscale State of the Cloud Report from Flexera

PKI Operations and Usage

Understanding PKI Operations and Associated Risks

PKI Operations refer to the capability of the organization to Deploy, Sustain and Expand PKI services. In other words, it’s a potentiality of an organization to utilize the PKI services into their environment to keep the services up and running. It comprises of all the processes from designing of PKI system to testing it.

There are some risks involved if PKI Operations are not performed:

ADCS component failures requiring installations of new replacement components may not be completed in a timely manner increasing service outage durations during recovery process.
CA application failures may not be noticed and reported in a timely manner increasing response and remediation times leading to increase outage durations.
Service level agreement failures related to issuing, renewing or revoking of certificates in a timely manner.
Certificate revocation notification failures leading to services relying on certificates validation failure and acceptance.

PKI Operations Tasks

The following PKI operations tasks are performed at different stages and periodic execution of the services makes it robust, scalable, secured and a reduced risk infrastructure.

Stage	Tasks	Description
Architectural	Adding a new CA Adding a new CA Template Uninstall a CA.	All the changes that are to be done to an existing PKI system.
Maintenance	Renew CAs. CA Backup & Recovery. Publish CRLs on Root CA & Issuing CA.	All the operations that need to be done to keep a check on service (like updation) and therefore get un-interupted services from CA.
Testing	Check for PKI Health.	Check for Certificate status in CDP containers, AIA container, etc.

Below are the tasks that are performed under the PKI operation processes at different stages:

Task	Description	Schedule (How oftenFrequency)	Estimated Task Execution Duration
Backup & Recovery of CA’s.	Takes the backup of: Database Private key backup for HSM’s CA Policy File Configuration Registry Hive Certificates Templates details for Issuing CA	As Needed Every PKI system needs to have a effective disaster recovery plan so as to make sure if there is a system failure, we can recover it in time scaring minimal effect on the organization. If CA application failure happens than it won’t be able to issue any certificate so DR plan needs to be implemented which will include taking the CA Backup and testing recovery on different system. The backup of CA plays a principal role when a CA needs to be migrated (in case of service failure) onto a different server as well as when building or adding another Issuing CA to have high availability. So that if one CA gets compromised then the whole system doesn’t go down.	4 Hours (May vary with organization)
CRL & AIA Publications of Root & Issuing CA	As one of the best practices for PKI operations, the CRLs of Root CA needs to be published every 6 months manually so that the updated CRL gets pushed in the environment.	Every Half Yearly (manually)	1 Hour (May vary with organization)
Renewal of Root CA and Issuing CA.	Root CA: Renewal of Root CA Key pair. SubCA: Renewal of Issuing CA Key Pair.	Suggested – Root CA – Once every 9 Years and 10 months. For example, generally a Root CA certificate is valid for 20 years. So, it should be renewed once every 9 years and 10 months. This is because Root CA issues 10 years long certificates to its issuing CA and when the Issuing CA certificate will be renewed, Root CA should be able to renew it for another 10 years. SubCA – Every 2 year and 3 months. It actually depends on the validity of CA certificate which may vary system-to-system.	Root CA – 1 hour SubCA – 1 hour (May vary with organization)
Uninstall a CA	By uninstalling a CA we remove the ADCS roles and features from the CA Server. Make sure to take the backup of the CA before uninstalling it. So that when we want to add a new CA into our PKI system we can easily restore from the backup.	As Applicable	1 hour (May vary with organization)
Add a New CA	Adding a new CA to your existing PKI system is required for high availability and load balancing on CA as well as to assign different roles intended for that particular CA.	As Needed	1 hour (May vary with organization)
Add a new Certificate Template	When we have to implement some particular roles to the CA for signing and issuing the certificate we assign and add a template for the certificate. For example, Workstation Authentication is a template which the CA uses to issue certificates to new users or machines connecting to the network so as to authenticate them.	As Applicable	½ hour (May vary with organization)
PKI Health Check	After the PKI services are configured, expanded, updated and maintained it’s a best practice to check for PKI Health so that to be assured that PKI Operations on our system are well performed.	Recommended – After every PKI Operations.	½ hour. (May vary with organization)

Recommendation– (may vary from organization to organization)

Architerural PKI Operations – They can be performed as needed or as applicable to the existing PKI requirements.

Maintenance PKI Operations – It is best practice to perform the maintenance task in a timely manner to receive a un-interrupted CA Services.

Testing PKI Operations – It should be performed in order to make our PKI services more informed and reliable one.

We recommended that every organization should maintain a PKI Operation Guide for detailed and step-by-step PKI operations to get an un-interrupted PKI Services. For more details on PKI Operation Guide, please contact us.

Big Data – Data Encryption in Big Data

The Security Challenges of Big Data

Big Data is an emerging set of technologies enabling organizations a greater insight into their huge amount of data to drive better business decisions and greater customer satisfaction. The aggregation of data in Big data systems also make them an attractive target for hackers. Organizations should be able to handle this data efficiently and must protect sensitive customer data so as to comply with a set of privacy laws and compliance requirements. Securing big data is difficult because of multiple reasons.

Some are mentioned below:

There are multiple feeds of data in real time from different sources with different protection needs.
There are multiple types of data combined together.
The data is being accessed by many different users with various analytical requirements.
Rapidly evolving tools funded by open source community.
Automatic replication of data across multiple nodes.

Ways to Protect Data in Hadoop Environment

There are multiple ways to protect data in a Hadoop environment:

File system level encryption: This encryption is commonly used to protect the sensitive information in the files and folders. This type of encryption is also known as “data at rest” encryption. Data is encrypted at the file level and is protected at rest residing on data stores. But this approach does not protect the data when it is running within the system. The data is automatically decrypted when it is read by the operating system and this data is fully exposed to any authorized or unauthorized user or process accessing the system.
Database encryption: File system level encryption can also be used to protect data stored in a database. There are multiple techniques available for database encryption including Transparent data encryption (TDE) and Column-level encryption. TDE is used to encrypt an entire database. Column-level encryption allows for encryption of individual columns in a database.
Transport level encryption: This encryption is used to protect data in motion using SSL/TLS protocols.
Application level encryption: This encryption uses APIs to protect data at the application side.
Format preserving encryption: FPE encrypts the data without changing the original data format. This allows the applications and databases to use the data. Data protection is applied at the field level which enables protecting the sensitive parts of the data and leaving the non-sensitive parts for applications.As large volume of data from multiple sources like machine sensors, server logs and applications flow into the Hadoop Data Lake, it serves as a central repository to a broad and diverse set of data. The data lake needs to be protected with comprehensive security as it will store vital and often highly sensitive business data. Data can be protected at multiple stages in Hadoop (before entering the data lake, while entering the data lake or after it has entered the data lake):
- Data protection at the source application: In this scenario, the data is encrypted before importing into Hadoop. This is the ideal scenario. This ensures that data is protected throughout the entire data lifecycle as well as Hadoop is not in the scope for compliance purposes. This option requires an interface to the source applications for encryption and tokenization. The protected data is then imported into Hadoop.
- Data protection during import into Hadoop: This option does not need any access to the source applications. Here data is protected in the landing zone as it enters Hadoop.
- Data protection within Hadoop: This option protects data fields once they are identified in Hadoop. This option uses interfaces running within Hadoop jobs. There will be integrations with different modules in Hadoop like Hive, Impala, Sqoop, Spark, Storm, Kafka, NiFi etc.
- Storage-Level Encryption within Hadoop: The storage level encryption protects data after physical theft or accidental loss of a disk volume. This option uses Transparent Data Encryption (TDE) within Hadoop Distributed File System (HDFS) to create a safe landing zone. This option slows down the system. For better security, keys should be managed on Hardware Security Modules when using TDE.

Code Signing Solution

What is Code Signing?

Code signing solution is a process to confirm the authenticity and originality of digital information especially a software code and assuring that this digital information is valid and additionally establishes the legitimacy of the author. It also provides assurance that this piece of digital information has not changed or revoked after it has been signed by the validity of signature.

Whenever we download a program or software, and we see a pop saying “Are you sure you want to run this?” or when we install a software and try to run then you get asked “Do you want to allow the following program to make changes to this computer” then that means code signing in action. And if the program downloaded or installed has not been code signed then we can see a small warning sign stating the same that it has not been code signed.

Why Code Sign Solution?

Code Signing Solution plays an important role as it can enable identification of a legitimate software v/s a malware or a rogue code. In technical terms, code signing creates a hash of the code and encrypts it with a private key adding its signature. During executing this signature is validated and if the hash match it gives assurance that the code has not been modified. It also establishes assurance that the code is issued from a legitimate author that it is claiming to be once it has been digitally signed.

Risks associated with Code Signing Solution

Few challenges come along with code signing like any other development process. Code signing is only effective if the associated software is secured.
Below are the few risks associated,

Stolen, corrupted or misused keys.
When access is granted to an unauthorized user in the system using malicious signature certificates, then that is going to hamper the code signing process.
Unsecured CA private keys would also lead to comprising the code signing system.
Establishing trust in the unauthorized certificates issued by would lead to the malfunction of the system.
The signing of unauthorized code.
Code signing can get hampered in an insecure cryptography system.

Best Practices for Code Signing Solution

These include:

Establishing a high state of security on Private Keys – using HSMs or in a purpose-built environment.
Keeping track of Private Keys and Code Signing events – Maintaining and providing visibility access about who signed what and when.
Managing the assignment and revocation of publishers – Ensuring the access of Private Keys to only the authorized users.
Auditing Capability – Gives accountability and forensic insights on code signing activities.
It is of great importance if policies and procedures are reviewed before the signing of code as it would lead the development process to be more trustworthy and healthy.
Developing a strongly secured cryptography system will have no risk impact on the code signing process.

CCPA vs GDPR

In this digital era, seeing these new emerging attacks to steal one’s personal data, becomes a serious matter of concern. That’s how government came up with some laws and rules to protect individual’s information and ensure that organizations handle that data responsibly. These regulations are designed to give individuals control over their personal data, govern how businesses collect, store, use, and share it, and provide legal recourse if the data is mishandled or misused.

The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) are both data privacy regulations which helps organizations protect their data from being misused by any third part or attacker. Both regulations are almost similar yet have distinct scopes and requirements which we’ll discover in the upcoming sections of this article. From a regional aspect, CCPA protects California residents while GDPR protects whole EU residents.

California voted and signed in the California Consumer Privacy Act in June 2018, which has been into effect from January 1, 2020. California is no stranger to privacy laws. The state of California has introduced privacy laws such as the California Shine the Light Law, California Invasion Privacy Act, California Online Privacy Protection Act, California Anti-Phishing Act of 2005, Privacy Rights for California Minors in the Digital World, and the California Electronic Communications Privacy Act.

However, the California Consumer Privacy Act is harsher than any of the previous laws enacted by the state of California rivaling the most recent General Data Protection Regulation of the EU. The CCPA does not cover all that is required by the GDPR, but creates the strictest privacy laws the United States has ever seen.

Personal information of individuals is at an all-time high risk. The misuse of personal data and privacy rights is now a primary concern worldwide. The California Consumer Privacy Act introduces never before seen consumer privacy regulations in America.

The legislation aims to protect personal information by creating a broad definition: Personal Information (PI) is “information that identifies, relates to, describes, and is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” stated by the California Consumer Privacy Act. The legislation addresses organizations using, compiling, and distributing personal information.

By doing so, the act aims to protect California consumers by enforcing the protection of personal information and forcing organizations to respect the privacy of citizens. The organizations will have to comply with the CCPA for those operating in California or do business within California if they fall under one of the three categories:

Annual gross revenue is greater than $25 million
Buy, receive, or sell PI of 50,000 or more consumers, households or devices, or
50 percent or more of annual revenue by selling California-based consumers’ PI.

If these regulations are not followed, fines will be made by the Attorneys General up to $7,500 per international violation and lawsuits can result in $100-750 per consumer per incident.

Rights in CCPA

The California Consumer Privacy act aims for the consumer to retain ownership, power, and security of your personal information if you are a citizen of the state of California by establishing the significant rights to consumers such as:

Right to Know
The right to know what and where personal information is being collected, sold and disclosed about them. Consumers have this right to know what personal information is being collected about them.
Right to Opt-Out
The ability to deny the sale of personal information. Consumers can opt-out of the sale of their personal data.
Right to Non-Discrimination
The right to have equal service and price, if one decides to exercise their privacy rights. Businesses cannot discriminate against consumers for exercising their CCPA rights.
Right to Delete
The right to be able to have personal information deleted. Consumer can request business to delete their personal information from records which has been collected from consumer.

The original CCPA surely make a landmark with it’s privacy protection rights for the consumer, however now the consumers have this responsibility to remain aware of the privacy decisions they make while doing any business, and hence it somehow backfired on the existing model. That’s how Proposition 24 came into light on November 2020, which soon approved by the voters and has been into effect from January 1, 2023. It includes 2 new rights:

Right to Correct
Consumers have the right to correct any personal misinformation business have regarding them. Inaccurate information can have negative consequences for any consumer, that’s why it’s important to ensure your personal information credibility within any business.
Right to Limit
Consumers have the right to limit the use and disclosure of sensitive personal information collected about them. Suppose if a consumer don’t want to share his personal contact number, then this right provides him the flexibility to do so.

Limitation of purpose, data, and storage
Consumers can request to collect only necessary information and discard any personal information after processing is complete.
Right to Erasure
Similar to CCPA’s Right to Delete, where consumer can request to delete their personal data.
Right to Object
Consumers can question or object regarding the collection of their personal information from businesses.
Right to Restriction
Consumers can request to restrict their data or personal information being collected under certain conditions.

While the CCPA and the GDPR are similar, they have a fair amount differences in regulations. In the table below, it will go into comparison on showing both similarities and differences within both policies. For organizations that comply with GDPR, you will be forced to make further provisions to comply with the CCPA as well.

Major Requirements	California Consumer Privacy Act	General Protection Data Regulation
Encrypted/Redacted Personal Data	✅	✅
Privacy by Design	❎	✅
Compliance by all businesses collecting/personal data	❎	✅
Limit sale of Personal Data	✅	❎
Reporting of Data Breaches	❎	✅
Options for Minors	✅	✅
Policies for Cookiess	❎	✅
Processing Bans	❎	✅
Equal service and price, if exercising their privacy rights.	✅	❎

How Encryption Consulting Can Help ?

At Encryption Consulting, our Encryption Audit Service is designed to ensure your data security is rock solid. Our organization specializes in encryption services, offering essential tools for businesses to comply with data privacy regulations such as the CCPA and GDPR. We dive deep into your current encryption mechanisms, pinpointing vulnerabilities and offering practical recommendations to boost your encryption strategies. By aligning our audits with industry standards and regulatory requirements, we make sure your encryption practices are both effective and compliant. 

Conclusion

CCPA and GDPR both are data privacy regulations introduced by governments to give more power to consumers, allowing them to protect their personal information from being misused by businesses. Consumers have various rights under these regulations, such as the right to access their data, the right to correct inaccuracies, the right to request deletion, and the right to opt-out of the sale or processing of their personal information.

These policies help consumers take control of their data, ensuring that businesses handle it transparently and responsibly. By empowering individuals, CCPA and GDPR also promote trust and accountability in the digital economy, creating a safer environment for data sharing while minimizing risks such as identity theft, unauthorized profiling, or data breaches.

Big Data Security and Privacy Issues

The Security Challenge of Big Data

Big Data refers to collecting large volumes of data, giving us greater insight into our data which can be used to drive better business decisions and greater customer satisfaction. Securing Big data is difficult not just because of the large amount of data it is handling, but also because of the continuous streaming of data, multiple types of data and cloud-based data storage.

Some of the major challenges in securing Big data are:

Secure Computations: Big data technologies use distributed programming frameworks to process large amounts of data. These distributed frameworks like MapReduce don’t have good security protections. In MapReduce, the data is split, then processed by a mapper and allocated storage. If someone can change the mapper settings as it doesn’t have any additional security layer, it can manipulate the data being processed. Also, it is very difficult to detect these untrusted mappers. It is very important to secure the computations being handled in these distributed programming frameworks so as to ensure that the integrity of data is maintained.
Protecting Data and Transaction logs: Due to the size of data and transaction logs, these are stored in multi-tiered storage environments with auto-tiering functionality. Auto-tiering does not keep track of the data location. Auto-tiering systems can expose new vulnerabilities because of unknown physical data locations, untrusted storage devices which can result in organizations losing control over data. Data transmission between tiers can also provide information regarding user activities and data properties which can be used by attackers. Data and transaction logs need to be protected to maintain the confidentiality, integrity, and availability of data.
Validation of Inputs from Endpoints: Big data collects data from a variety of input devices including endpoints. It may be collecting logs from a large number of devices and applications. The data which Big data is receiving might contain rogue data being sent by an untrusted endpoint. This can affect the organization’s analytical outputs. A challenge here is to validate all the inputs the Big data is receiving to ensure that it came from a trusted source.
Secure Non-Relational Data Stores: Non-Relational data stores like NoSQL are rapidly being used in Big data technologies. These data stores are not mature and secure enough, as of today. They have many security issues like no encryption support for the data files, weak authentication between client and server, data at rest is unencrypted which can cause privacy threats.
Privacy-preserving data analytics: Privacy is an important issue in applying Big data technologies for analytics. As more and more data is being collected, this data aggregation along with data analytics could result in user privacy violation. If the data analytics is outsourced, an untrusted third party employee can infer personal information of users. The organizations want to use Big data analytics tools to enhance customer satisfaction, but they need to ensure protecting user privacy while doing so.
Access control: Big data handles a variety of data including sensitive data such as Personally Identifiable Information of users. There are many legal and compliance requirements to protect those data. Granular access control policies should be implemented so that only authorized users to have access to sensitive user data and analytics done on those data sets. This is needed to ensure the confidentiality of data.
Real-time security monitoring: Real-time security monitoring is needed for Big data infrastructure and the analytics it is handling. It has always been a difficult task because of the number of alerts generated by devices. These alerts have a large number of false positives as well. Due to this reason, companies often struggle to monitor real-time data.

How Encryption Secures Big Data

Encryption can help in handling data protection in Big data technologies at multiple stages to ensure confidentiality, integrity, and availability of data is maintained. If you want to know more about it, watch out for our next blog on Data Protection in Big data using encryption.

Cloud HSMs – Overview and Use Cases

With cloud adoption soaring to whopping 96% in 2018 according to CIO, it’s no wonder that cloud security is a hot industry topic. In today’s dynamic world, many companies are accelerating their digital transformation by moving data and applications to the cloud; benefiting from scalability and reduced costs at the same time. With cloud becoming an integral part of any enterprise, the questions that many ask include:

How to ensure cloud data security?
Where and how to manage encryption keys in the cloud?
How to ensure your data is securely stored and protected in a multi-cloud environment?
How to ensure vendor independence in a multi-cloud environment?

HSM

Hardware Security Modules (HSMs) have been around for a long time and have over the years become synonymous with “security”. Many organizations that host their data and applications on-premise will use HSMs – physical security units that authenticate, generate and store cryptographic material to protect their most valuable assets. The HSM acts as the centralized Root of Trust providing the ultimate level of security that no software can offer. While this is a great option for on-premise scenarios, it becomes complicated if you’re in a multi-cloud environment.

Say you do decide to go with the Key Management Service (KMS) offered by your Cloud Service Provider (CSP), what happens if your environment is a combination of private, public, hybrid or multi-cloud? The important question to ask would be if your CSP’s KMS supports data and applications hosted outside of their own data environment. Every enterprise has a unique cloud environment and getting locked-in with one vendor in the name of data security is probably not the best option. What you want to be looking for is a solution that is CSP-agnostic meaning supportive of various cloud environments so you can make the most of the benefits and services offered by key providers like Google, Azure, and AWS.

Another consideration regarding your CSP’s KMS is the proximity of your valuable data assets and your encryption keys. Is it safer to keep your house key under the doormat or in a locked vault in a secure storage facility? At the end of the day, KMS is nothing more than software which undoubtedly lacks the stringent security protections of a dedicated unit like an HSM. As a best practice, it’s important to separate your encryption keys from your encrypted data assets to minimize the risk of a catastrophic data breach.

HSM-as-a-Service: Simplified Security

We are back at where we started. If HSM is the ultimate security solution, then wouldn’t it be ideal to be able to have access to HSM-level security for your cloud applications and workloads without taking on the expense and responsibility of managing your multi-cloud environment HSM? Today, solutions like HSM-as-a-Service or HSM-in-the-Cloud offer the best of both worlds combining the security of an HSM with a flexibility of a KMS. This might be the solution for you if you’re looking for:

Multi-cloud deployments
Migration flexibility – no CSP and cloud lock-in
Reducing your capex
Innovate in the cloud – place your own firmware and custom code on the HSM

With the right strategy and solution, you can ensure your cloud security is treated like your on-premise security. Get in touch with Utimaco to learn more about CryptoServer Cloud and how you can secure your cloud data without limiting your agility and potential.

Key Management in Multi-Cloud Environments

keys-management-in-multi-cloud-environment

Building your Encryption Strategy

Once overlooked, key management in the cloud is becoming a high priority for CISOs as multi-cloud environments become the next step in the continual goal of reducing downtime. Each major cloud provider has its own internal key manager. Amazon Web Services (AWS) has the AWS Key Management Service tucked away inside of the Identity and Access Management (IAM). Azure has the Key Vault to store keys used within its environment. Google has the Cloud Key Management Service. All of them have very different interfaces and offer little control over key sovereignty.

Leverage REST for BYOK

External Key Management services have been slow to answer the problem with their focus on the internal data center. Cloud key managers have not been keen to adopt standards such as the Key Management Interoperability Protocol (KMIP). The latest generation of Key Managers, however, is starting to close the gap. By leveraging the REST interfaces provided by cloud providers, Key Managers can enable Bring Your Own-Key (BYOK) functionality at multi-cloud and enterprise scales. Functionally, most Key Managers can support these new use-cases through APIs and clients. Migrating to a secure cloud infrastructure requires some research as BYOK integrations are still emerging.

How to Decide on a Key Management Partner ?

There are several questions you should consider before deciding on your key management partner:

What is your current usage of encryption?
Where should your organization be using encryption but not due to complexity?
How many cryptographic objects will the Key Manager support? Will it be able to scale with the continued growth of your company?
Does the Key Manager support automation of workloads? With the heavy automation already in your DevOps environment, why introduce a manual bottleneck?
Does the Key Manager have the integrations for the tools you use?
Is the Key Manager from a company that can be a trusted partner? Managing your keys is only part of the equation. Encryption keys and certificates manage all of your stored data. You need to ensure your organizational data integrity.

By working with experts, you greatly increase your chances of having a platform that performs and provides the security your organization needs to thrive while still protecting vital data. With the right strategy, encryption of your multi-cloud infrastructure can be integrated into your existing DevOps platforms with ease.

Jon Mentzell is a cyber security expert with two decades of systems administration and DevOps experience including security for a cabinet-level government agency. He is currently the Product Security Manager at Fornetix.

Challenges of Key Management in Multi-Cloud Environments

Interoperability Between Cloud Providers
Ability of different cloud platforms like GCP, AWS etc to seamlessly work together and managing encryption across multiple providers.
Complexity of Key Rotation Across Multiple Cloud Platforms
Security can be enchanced with regularly changing the encryption keys. In a multi-cloud environment, managing key rotation across different platforms can be complex due to varying key management mechanisms and policies.
Ensuring Consistency and Synchronization of Keys
Maintaining consistency and synchronization of encryption keys across multiple cloud environments is crucial to ensure data integrity.
Compliance with Different Security Standards and Regulations
Different cloud providers may adhere to varying security standards and regulations. Managing keys in compliance with these standards across multiple clouds requires careful planning and implementation to avoid compliance breaches.

How Encryption Consulting can help?

With a strong focus on Encryption Advisory services and decades of consulting expertise, Encryption Consulting offers a range of cryptographic solutions. Among these, PKI as a Service (PKIaaS) stands out, providing round-the-clock support to clients for any issues related to their PKI environment. This comprehensive approach enhances security, ensuring organizations remain resilient against potential misconfigurations in their encryption setups.

Common Encryption Challenges

Data protection is now one of the most critical and perhaps number one priorities for organizations. With data breaches at an all-time high and new regulations such as GDPR and likes of it coming into force, organizations are now focusing on the Data-Centric Security approach. As such Encryption is one of the oldest yet one of the most effective technology solutions that can enable organizations to achieve Data-Centric Security.

The two main drivers for encryption are.

Compliance

EU GDPR
PCI-DSS
HIPPA/HIPPA HITECH
NYDFS

Risk Reduction

Big Data Lakes
Cloud Platforms
Analytics involving sensitive data

The journey of encrypting data follows a thorough process that consists of:

Classification
Discovery
Protection
Enforcement
Monitoring

While Encryption has been in use for centuries, its application depends on the context of information being processed and the relevant business requirement. As such while it may sound easy Encryption has its own set of challenges that should be taken care of while designing an Encryption solution. At Encryption Consulting we understand these challenges.

Data Discovery

The first and foremost action for an organization is to locate their sensitive and critical data that requires Encryption which is achieved through means of data discovery and assessment.

Manual Approach

Discussing with business stakeholders and Data custodians

Tool Based

Selecting and deploying Data discovery tools for structured, unstructured, and semi-structured data stores

Key Management: Cloud or On-Premise

Key management is one of the most critical components of Encryption. It is very important to carefully identify and design best approach suited for your needs

Key Security

Ensuring Secure keys with constant protection
Not allowing access of keys to cloud administrators

Controlling keys as the Customer

If a customer deletes its key, then data will be removed as well
Maintaining on-premise control of key

Confinement of Key

Utmost dedication to the key management platform
Never allowing key swaps

Key Rotation

Avoid over-use of the key which permits vulnerability
Re-keying data with a new key to creating a new key

Querying Encrypted Data

Quite often is required to search and index encrypted data stored on-premise or in the cloud. This is a big concern for organizations since this might involve decrypting data many often and thus increasing the opportunity for a hacker to get access to decrypted data. Additionally, frequent decryption can increase the demand for system resource requirements and time.

Performance Overhead

Whenever data is encrypted, a performance overhead is associated with encryption. The amount of data encrypted may cause a slowdown for systems.

Encryption Algorithm and Key Length

Another important aspect of Encryption is the selection of the Encryption algorithm & Key Length. While selecting a higher key length can enhance security and reduce risks of key compromise, it can also cause performance impact as a higher key length will consume more resources and time. Thus, a careful understanding of throughput and business needs should be evaluated for the selection of the Encryption algorithm and Key length

Challenges of Encryption Program Management

When deciding on which type of encryption is best for your organization, the challenges organizations face with encryption program management are:

Planning

Meeting set requirements and compliances
Assess products/vendors available
Confirmation of product/vendor

Building

Creating and tuning a secure environment
Plan for system integration

Integrating

Set Formal Policies
Formatting of Data
Conduct Performance Test
Launch Application

We at Encryption Consulting can help our customers plan and design the most suitable Encryption option for securing your data irrespective of where they are stored and without compromising business performance or user experience.

AWS VS Azure KMS

Deciding which cloud crypto vendor is best for you? Choosing between Amazon Web Services or Microsoft Azure is heavily debated by users. The transition toward uploading data on the public cloud is becoming the standard for organizations. The two main factors for protecting data are to protect the data from unauthorized access and to meet compliance regulations. Cloud Security must be the main priority of everyone in the organization. The use of encryption depends on the protection of the keys. Key protection and management are offered by Amazon Web Services Key Management Services (AWS KMS) and Microsoft Azure Key Vault. In today’s blog, Encryption Consulting will summarize Amazon Web Services (AWS) Key Management System (KMS) and Microsoft Azure Key Vault.

Amazon Web Services Key Management Services (AWS KMS)

AWS KMS is a managed service that is used to create and manage encryption keys. The two types of encryption keys in AWS KMS are Customer Master Keys (CMKs) and Data keys. CMKs can be used to encrypt and decrypt up to 4-kilobytes of data. Data Keys are generated, encrypted and decrypted by CMKs. The CMKs can never leave the AWS KMS. The CMKs could be customer managed or AWS managed. Data keys are used to encrypt data. AWS KMS does not store, manage or track data keys. AWS KMS cannot use data key to encrypt data for you. You have to use and manage data keys. AWS KMS uses FIPS 140-2 validated hardware security modules (HSM) and supported FIPS 140-2 validated endpoints ensuring confidentiality and integrity of your keys.

Azure Key Vault

Microsoft Azure Key Vault is used to store secrets like tokens, passwords, certificates, and API keys. Azure Key Vault can also be used as a key management solution. Key Vault can encrypt keys and secrets in hardware security modules (HSMS). Key Vault supports RSA and Elliptic Curve keys only. Microsoft will not see your keys, but processes the keys in FIPS 140-2 Level 2 validated HSMs.

Control	AWS KMS	Azure Key Vault
Symmetric Key	AES-GCM-256	X
Asymmetric Key	X	RSA-OAEP and RSA-PKCS #1v1.5
Bring your own key (BYOK)	CMK wrapped with RSA 2048	PKCS#12 or nCipher HSM
Unwrap Key	RSA-OAEP and RSA-PKCS#1v1.5	RSA-OAEP and RSA-PKCS#1v1.5
Sign	X	RSA-PSS and RSA-PKCS#1v1.5
Key Length -Symmetric Key	AES 256	X
Key Length-Asymmetric Key	X	RSA 2048 – 4096
Key operations per second	1000 – 5500 depending on the region	1000 for HSM 2000 for Software-basedCrypto

At Encryption Consulting, we are here to take care of all your encryption needs with respect to cloud key management.