Secret Management refers to tools or methods that are used to manage authentication credentials (or secrets). These may include passwords, access keys, API keys, and tokens that can be used in applications, services, privileged accounts or other sensitive areas of the IT ecosystem.

Advantages

  • By this approach, service accounts — generic administrative accounts which may be assumed by one or more users — can access these secrets, but no one else

Disadvantages

  • Not compliant with regulatory requirements which specify FIPS-certified hardware

Why is Secret Management important?

Passwords and access keys are some of the most used tools to authenticate users or automated applications onto the network or give access to specific services, systems, or information that might be otherwise classified. Since these secrets need to be transferred securely, secret management would need to account for and mitigate the risk portrayed on the secrets while in transit as well as on rest.

Some of the secrets include:

  • Passwords
  • API keys or other application keys/credentials
  • SSH Keys
  • Database and other system passwords
  • Certificates for secure communication (TLS/SSL and more).
  • Private encryption keys such as PGP
  • RSA and other one-time password devices

Challenges in Secret Management

As IT infrastructure grows and develops, it increases the complexity and the diversity of the secrets involved that needs to be properly protected. Those secrets should be securely stored, transmitted and audited securely.

Some of the common risk and considerations are:

  • Incomplete visibility and awareness:
    All privileged accounts, applications, tools, containers, or microservices deployed across the environment, and the associated passwords, keys, and other secrets. SSH keys alone may number in the millions at some organizations, which should provide an inkling of a scale of the secrets management challenge. This becomes a particular shortcoming of decentralized approaches where admins, developers, and other team members all manage their secrets separately, if they’re managed at all. Without oversight that stretches across all IT layers, there are sure to be security gaps, as well as auditing challenges.
  • Hardcoded/embedded credentials
    Privileged passwords and other secrets are needed to facilitate authentication for app-to-app (A2A) and application-to-database (A2D) communications and access. Often, applications and IoT devices are shipped and deployed with hardcoded, default credentials, which are easy to crack by hackers using scanning tools and applying simple guessing or dictionary-style attacks. DevOps tools frequently have secrets hardcoded in scripts or files, which jeopardizes security for the entire automation process.
  • Privileged credentials and the cloud
    Cloud and virtualization administrator consoles (as with AWS, Office 365, etc.) provide broad superuser privileges that enable users to rapidly spin up and spin down virtual machines and applications at massive scale. Each of these VM instances comes with its own set of privileges and secrets that need to be managed
  • DevOps tools
    While secrets need to be managed across the entire IT ecosystem, DevOps environments are where the challenges of managing secrets seem to be particularly amplified at the moment. DevOps teams typically leverage dozens of orchestration, configuration management, and other tools and technologies (Chef, Puppet, Ansible, Salt, Docker containers, etc.) relying on automation and other scripts that require secrets to work. Again, these secrets should all be managed according to best security practices, including credential rotation, time/activity-limited access, auditing, and more.
  • Third-party vendor accounts/remote access solutions
    How do you ensure that the authorization provided via remote access or to a third-party is appropriately used? How do you ensure that the third-party organization is adequately managing secrets?
  • Manual secrets management processes
    Leaving password security in the hands of humans is a recipe for mismanagement. Poor secrets hygiene, such as lack of password rotation, default passwords, embedded secrets, password sharing, and using easy-to-remember passwords, mean secrets are not likely to remain secret, opening up the opportunity for breaches. Generally, more manual secrets management processes equate to a higher likelihood of security gaps and malpractices.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Encryption key management software is used to handle the administration, distribution, and storage of encryption keys. Proper management will ensure encryption keys, and therefore the encryption and decryption of their sensitive information, are only accessible for approved parties. IT and security professionals use these solutions to ensure access to sensitive data remains secure.

Encryption key management software also provides tools to protect the keys in storage and backup functionality to prevent data loss. Additionally, encryption key management software includes functionality to securely distribute keys to approved parties and enforce key sharing policies.

Certain general encryption software provides key management capabilities. Still, those solutions will only offer limited features for key management, distribution, and policy enforcement.

To qualify for inclusion in the Encryption Key Management category, a product must:

  • Provide compliance management capabilities for encryption keys
  • Include key storage and backup functionality
  • Enforce security policies related to key storage and distribution

A software key management approach can be used instead of an HSM based SaaS approach or a cloud KMS approach. Also, secrets management is an efficient approach to manage secrets, passphrases, etc.

For organizations who do not use advanced hardware for key management on-premises but want to ensure their cloud providers do not own and cannot be compelled to turn over keys to decrypt their data, software-based key management is suitable.

Advantages

  • Run the organization’s key management application in the cloud.
  • Lower cost than HSMs and full control of key services, rather than delegating them to your cloud provider
  • Can perform all core functions of an HSM -key generation, key storage, key rotation, and API interfaces to orchestrate encryption in the cloud

Disadvantages

  • Need to handle failover and replication yourself
  • Not compliant with regulatory requirements that specify FIPS-certified hardware
  • The approach is only suitable for IaaS, as there is a need to install and configure your servers to perform key management

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Hybrid KMS is a centralized management of accounts across all leading CSP’s with custom API‘s for integration and the ability to manage all encryption key lifecycle management activities from the central console.

Many organizations simply prefer to own and physically oversee their own HSMs, but they also seek the accessibility and convenience of the cloud. A hybrid model would contain a combination of on-premises HSMs and cloud HSMs to account for:

  • Scalability
  • Backup
  • Failover

This model is often used by organizations that have large on-premises HSM estates, but want to limit further investments in on-premises and want to tap into the scalability of the cloud. With a hybrid infrastructure, if an organization sees an unexpectedly high volume, cloud-based HSMs can seamlessly provide additional capacity, preventing slowdowns or outages. 

A few years ago, on-premises were the only option for key management. That has changed and organizations now have the option to move fully to the cloud or adopt a hybrid model. As organizations are considering these options, they can evaluate based on these parameters: 

  • FIPS 140-2 Level 3 compliance and PCI DSS standards.
  • Scalability
  • Compliance
  • High Availability
  • Integration
  • Resources
  • Cost

If an organization is facing scalability issues, interruptions, access failure, it might be time to extend their critical infrastructure beyond physical premises. Organizations have several options: moving to the cloud, renting rack space, or looking for hybrid options.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Multi-Cloud Key Management is the process of using a vendor solution to provide a centralized and secure key management system across multiple cloud environments. It does not much matter whether the customer’s application architecture uses a private cloud, a public cloud, a hybrid cloud, or is distributed across multiple clouds — the framework remains the same. They can choose to move ahead with a single CSP or multiple CSP depending on its cloud strategy.

Multi-cloud key management utilizes a single solution that can provide a secure and centralized approach to manage keys in multiple cloud environments. The solution provided by the vendors can achieve higher FIPS levels.

In terms of resources, multi-cloud key management tends to use fewer resources as all crypto key lifecycle management activities are centralized to one key location. This centralized location relieves the user from logging into multiple cloud environments instead of only focusing on a centralized location. It also removes any custom API to be built for the solution as everything will be provided by the vendor for the solution.

Multi-Cloud Key Management is best suited for environments that need to talk to each other to work flawlessly. If the organization has contracted with a single cloud service provider, then the native KMS encryption approach may be the best choice. However, the majority of enterprises contract with multiple cloud service providers. In a multi-cloud environment, the technical and economic benefits of the Cloud are diminished by the complexity of requiring a different encryption key management method for each cloud environment. A strategy to simplify key management without adding administrative complexity and a consistent, centralized, and secure means to manage encryption keys-ideally. One specifically designed for multi-cloud environments is the suggested choice – Hence the hybrid key management approach.

The following diagram depicts the Multi-Cloud key management solution. There is the centralized management of accounts across all leading CSPs with custom API for integration and managing all encryption key lifecycle management activities from the central console. This eliminates the requirement of separate logins for different cloud vendor solutions.

Features:

  • Organizations are leveraging third-party providers who offer multi-cloud solutions, enabling organizations to “Bring” your key and “manage” your keys.
  • Separate encryption keys from data encryption and decryption operations for compliance, thereby ensuring best security practices and control of your data.
  • Utilizes BYOK services to deliver key generation, separation of duties, reporting, and key lifecycle management that fulfill internal and industry data protection mandates, all with FIPS 140-2-certified secure key storage.
  • Keys are marked for automated key rotation on a per-cloud schedule.
  • Each cloud service login is authenticated and authorized by the service provider.
  • Choice of HSM depending on the requirement, i.e., using FIPS 140 level 4 vs. level 1 instead of using a standard native HSM, which does not provide a choice.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Silo Key Management is the process of using the KMS provided by the CSP to manage keys in a single cloud environment.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

A Master Key is a key, typically in an HSM, that encrypts all other keys within that HSM.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Table of Contents

Many organizations, from every sector, have been moving their on-premises IT infrastructures onto the Cloud. To utilize the Cloud, organizations must choose a Cloud Service Provider (CSP). The three biggest CSPs are Microsoft AzureGoogle Cloud Platform (GCP), and Amazon Web Services (AWS). Using Cloud Service Providers offer a variety of benefits, including opening organizations to a wider range of customers. When dealing with the Cloud, the CSP is in charge of security of the Cloud, while the user is responsible for the data in the Cloud. But what exactly is a Cloud Service Provider, and what do they do?

What is a CSP?

Cloud Service Providers offer cloud computing infrastructure as a service to developers and businesses, so they can save on computing costs and operate with a larger customer base, while managing less of their IT infrastructure. Cloud services offer a variety of options for organization’s IT infrastructures, including storing, processing, and analyzing of data, protecting data-at-rest and data-in-motion, and developer tools to create your own applications on the Cloud. CSPs offer these services at varying costs so organizations of any size can utilize their services. Services can be used on-demand, at set time periods, or dedicated hosts can be utilized for constant use. Even among the top three, Cloud Service Providers offer different options for data manipulation, so ensure you pick the right CSP for your requirements, as the infrastructures and APIs used by the Cloud Service Providers are also different.

Types of Cloud Services

There are three main types of Cloud Services:

  • Infrastructure as a Service (IaaS): IaaS offer services that would normally be on-premises. These services can be storage or networking options, servers, or another type of infrastructure service. These CSPs also tend to offer secondary services, like load balancing, logging, or security options, to complement their infrastructure options. All of these services are hosted by the Cloud Service Provider, and many are managed by the CSP as well.
  • Software as a Service (SaaS): The next type of Cloud Service, SaaS, provides software for productivity, customer relationship management, and software and human resources management to users. These software options are hosted over the Internet by the CSP. Many software vendors have been offering cloud-based software recently, as more organizations move to the Cloud for their online needs.
  • Platform as a Service (PaaS): Platform as a Service providers are the final type of Cloud Service, offer infrastructure and services for use by software developers. The platform offered can be used for various other functions as well, but software developers tend to utilize PaaS CSPs the most. Middleware and Operating Systems are just some of the examples of the options available for use in PaaS Cloud Service Providers.

Cloud Service are sometimes defined by the type of service they deliver: private, public, hybrid, or multi-cloud. Private clouds are kept within an organization’s walls, for use only by the organization who owns it. Public clouds offer a number of services, and are accessible across the Internet. The top 3 Cloud Service Providers are considered public clouds. A hybrid cloud utilizes the functions of both private and public clouds, combining the services of each for a better and more secure experience. A multi-cloud architecture uses any number of public, private, or hybrid clouds, that may or may not be connected together.

Why use a CSP?

There are a variety of reasons so many businesses are moving their services and infrastructure to the Cloud. CSPs offer a way to cut back on the cost of supporting a company’s infrastructure, while also managing many of the services for a company. This cuts back on the cost of human resources and man hours necessary to properly implement a secure and long-lasting infrastructure. Cloud Service Providers also offer rapid and simple deployment of applications and services, less time spent on marketing services, and potentially stronger compliance with the industry regulations and standards.

Cloud services can be used for many different purposes, including developing and deploying applications. With Cloud services, a wider customer base can be supported while incurring little to no cost. The Cloud can also be used as a Disaster Recovery solution as well. A backup of on-premises services and infrastructure can be created on the Cloud to be implemented if an on-premises data center were to suffer any outages. Another way the Cloud is used by many organizations is to comply with industry standards and regulations. Since so many different types of industries utilize Cloud Service Providers services, they must comply with the most common regulations seen by organizations, such as HIPAA or FIPS.

Encryption Consulting’s Services

Though learning everything you can do on the Cloud may seem daunting, Encryption Consulting offers a number of services and products to assist you with your use of Cloud services such as AWS or GCP. Our AWS Crypto Training trains you on how to efficiently use AWS Cloud Crypto services to stay secure in the AWS Cloud. This course focuses on industry standard best practices to secure data with AWS. We also offer a suite of utility functions that can be used on the Google Cloud Platform to encrypt data while migrating it to the Cloud, or while storing it within Google Cloud Storage Buckets. To learn more about Encryption Consulting’s services, visit our website.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Bring Your Own Key (BYOK) is an approach where the on prem keys are placed in a cloud service provider environment, enabling to use on prem keys with the native cloud key management services to encrypt and decrypt content. BYOK requires HSMs (either dedicated or offered as KMS service) but supports all cloud service models (SaaS, PaaS, and IaaS) so long as the cloud vendor offers key management service.

BYOK with Cloud KMS

Organizations can bring their own ‘master’ keys to the cloud, but the cloud provider uses data encryption keys derived from the master for actual encryption and decryption outside the HSMs. As the cloud vendor controls all the underlying hardware and software, they can choose if encryption is done in hardware or software services, while maintaining security of the derived encryption keys.

Advantages

  • No specialized skilled resources are required
  • Enables existing products that need keys to use cryptography
  • Provides centralized point to manage keys across heterogeneous products
  • Native integration with other services such as system administration, databases, storage and application development tools offered by the cloud provider

Disadvantages

  • Key exposure outside HSM
  • FIPS 140-2 Level 3 and above devices not available

BYOK with Cloud HSM

All encryption operations on the organization’s behalf are performed inside the HSM. The native cloud encryption service may satisfy requests on the organization’s behalf, so encryption and decryption are transparent, but key access and cryptographic operations are kept within the HSM.

Advantages

  • No Key exposure outside the HSM
  • FIPS advanced level (FIPS 140-2 Level 3 and above) complaint hardware-based devices meeting all regulatory requirements
  • Can perform all core functions of an on prem HSM -key generation, key storage, key rotation, and API interfaces to orchestrate encryption in the cloud
  • Designed for security
  • Dedicated hardware and software for security functions.

Disadvantages

  • Need specialized in-house resources to manage key and crypto lifecycle  activities
  • HSM based approaches are more cost intensive due to the dedicated hardware appliance that is made available
  • Performance overheads

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Payment Card Industry Data Security Standards (PCI DSS) are a set of security standards formed in 2004 to secure credit and debit card transactions against data theft and fraud. PCI DSS is a set of compliance methods, which are a requirement for any business.

Let’s suppose payment card data is stored, processed, or transmitted to a cloud environment. In that case, PCI DSS will apply to that environment and will involve validation of the CSP’s infrastructure, and the client’s usage of that environment.

PCI DSS Requirements:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied default for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across an open, public network
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk