Cloud Key Management

Retain Control of your Encryption Keys on the Cloud

Want to centralize and simplify key management functions across multiple clouds, while retaining
control over your data and encryption keys?

Register for our webinar with Encryption Consulting

What You Need to Know About Multi-Cloud Key Management

  • on Wednesday, October 28
  • at 11:00 a.m. CT.

Register Now

What questions should you ask of your cloud provider?

What are critical architectural factors for
implementing cloud key management?

Public cloud vendors

  • Including AWS
  • Google Cloud Platform
  • Microsoft Azure

have their own solutions for encryption key management. While this establishes a high degree of security, organizations lose control over the keys.

Enter BYOK. The industry is trending toward giving customers more control over their cryptographic keys. All of the major cloud vendors now have support for Bring Your Own Key (BYOK), so that organizations can maintain control over the keys used for their data and applications, giving them greater data portability and flexibility. The ability to shift from one cloud provider to another — including multiple cloud providers at once — gives organizations options.

Especially when it comes to managing workloads, handling spikes and surges, and providing disaster recovery — not to mention satisfying audit requirements involving backup or redundancy capabilities.

BYOK allows organizations to encrypt data inside cloud services with their own keys — and maintained within the cloud providers’ vaults — while still continuing to leverage the cloud provider’s native encryption services to protect their data. Win win.

How it works is keys are generated, escrowed, rotated, and retired in an on-premises or cloud hardware security module (HSM). A best practice is to use a FIPS 140-2 Level 3 HSM to more fully address compliance and reporting requirements.

While BYOK offers increased control, it also comes with additional key management responsibilities that are magnified in multi-cloud environments. Every cloud provider has its own set of APIs and its own cryptographic methods for transporting keys. Fundamentally, the processes, procedures and methods for managing keys are completely different across clouds, and not just from an API standpoint, but from architecture and process standpoints with each requiring different key management techniques.

What are best practices for multi-cloud ecosystems?

What are prerequisites for BYOK?

Register for our webinar

What You Need to Know About Multi-Cloud Key Management

to learn about key rotation best practices and how to manage the cryptographic key lifecycle.

Join us — Encryption Consulting and Futurex

  • on Wednesday, October 28
  • at 11:00 a.m. CT.

Register Now

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

Adam Cason is VP of Global and Strategic Alliances at Futurex, where he manages Futurex’s channel, OEM, and technology partner ecosystem. He has a strong technical background and deep knowledge of hardware security modules, cloud security, key management, and enterprise cryptographic ecosystems.

Hardware Security Module

HSMs – Key Management

What is a Hardware Security Module (HSM)?

A hardware security module (HSM) is a physical computing device that protects and achieves strong authentication and cryptographic processing around the use of digital keys. Through an isolated, tamper-proof environment, these devices are built to create and secure cryptographic keys, protect critical cryptographic operations, and lastly enforce implemented policies over the use of these keys. HSMs can come in various forms: PCI e-cards, USB tokens, and network attached appliances are all common.

The Rise of Hardware Security Modules

Organizations have begun realizing the importance of HSMs. The global deployment rate of these devices has risen from 26% in 2012 to 41% in 2017 according to the 2018 Global Encryption Trends Ponemon Institute Research Report. With technology’s ever-changing environment, organizations must keep up to be successful. These changes can lead an organization down two paths. One may lead to growth and prosperity, but the other may lead to destruction and despair.

Growing Concerns:

  • Cyber-Warfare
  • Data Privacy Regulations
  • Mobile Payments
  • Internet of Things

Organizations from all industries are being affected by their data management through encryption or key management. HSMs can offer organizations the ultimate security.

Securing Data using Hardware Security Modules

Hardware Security Modules boasts many impressive features and administrative functions.


  • Generate Encryption Keys
  • Store Keys
  • Crypto Operations Processing
  • Restrict Access only for those Authorized
  • Federal Information Processing Standard 140-2 Levels 3 or 4

For a key generation, an HSM uses a true entropy-driven, hardware-based Random Number Generator, usually built to compliance to level PTG.2 of the BSI Specifications AIS20 and AIS31, and as pertains to Hash_DRBG from the NIST SP 800-90A. Secure Private and Secret keys can only be generated by data returned by such DRBGs (Deterministic Random Bit Generator).

Whether the stages of lifecycle from creation, import, usage, rotation, destruction, and auditing, the HSM maintains protection over encryption keys to ensure data is never exposed. Once the keys are created and stored in the HSM, authorization will only be allowed through a series of key cards and passphrases to gain access, as most HSMs provide support for both multi-factor authentications, and can require access via the “4-eyes” principle.

Risks of Software-only Cryptography

For those that choose to bypass HSMs, software-only cryptography is the next option. However, those choosing software-only cryptography must understand the risks that come with this decision

The two types of attacks on Software-only Cryptography:

Logical Attacks –

mainly involving an attack on main memory or discs in servers to locate the crypto keys

  • Vulnerability during stage operations in server memory.
  • Core Data Dump
  • Accessible by Passphrase

Physical Attacks –

the removal and scanning of old hard drives or memory.

  • Technicians have forcibly removed and frozen hardware to locate cryptographic keys

How does an HSM protect against these two specific threat vectors? The protected secrets never exist outside the HSM, and inside the HSM only ever exist ‘in the clear’ during use, and while inside protected RAM (CPU cache memory, with code running in the cache memory also). Any data-at-rest on the device will be AES256 encrypted. And FIPS 140-2 Level 3 and higher HSMs will react to environmental changes such as temperature (higher or lower than normal), changes in the electrical feed (over- or under-voltage), and Level 4 HSMs extend this protection to the physical, and will erase themselves if the HSM hardware is damaged.

Security Compliance & Regulations

While organizations face many different drivers to encrypt data, fifty-five percent of organizations have said compliance with privacy and data security requirements is their top driver according to the 2018 Global Encryption Trends Ponemon Institute Research Report. Universally, countries are beginning to set a standard for privacy, for those organizations handling sensitive information. Those who wish to ignore these regulations and laws will be at the mercy to hefty fines.

Major Global Regulations:
Major United States Regulations:
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health (HITECH)
  • The Payment Card Industry Data Security Standard (PCI-DSS)

The Future of Hardware Security Modules

In today’s environment, organizations must adapt to the new digital world. By deploying HSMs, organizations will be laying out the foundation for enterprise encryption and key management. Your cryptographic keys and digital identity will have maximum security. Whether dealing with Public Key Infrastructure (PKI), Document Signing, Code Signing, Key Injection, or Database Encryption, HSMs will provide the utmost security with respect to cryptographic keys now, and in the future.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.


Common Encryption Challenges

Data protection is now one of the most critical and perhaps number one priorities for organizations. With data breaches at an all-time high and new regulations such as GDPR and likes of it coming into force, organizations are now focusing on the Data-Centric Security approach. As such Encryption is one of the oldest yet one of the most effective technology solutions that can enable organizations to achieve Data-Centric Security.

The two main drivers for encryption are.



Risk Reduction

  • Big Data Lakes
  • Cloud Platforms
  • Analytics involving sensitive data

The journey of encrypting data follows a thorough process that consists of:

  • Classification
  • Discovery
  • Protection
  • Enforcement
  • Monitoring

While Encryption has been in use for centuries, its application depends on the context of information being processed and the relevant business requirement. As such while it may sound easy Encryption has its own set of challenges that should be taken care of while designing an Encryption solution. At Encryption Consulting we understand these challenges

1. Data Discovery:

The first and foremost action for an organization is to locate their sensitive and critical data that requires Encryption which is achieved through means of data discovery and assessment.

Manual Approach

  • Discussing with business stakeholders and Data custodians

Tool Based

  • Selecting and deploying Data discovery tools for structured, unstructured, and semi-structured data stores

2. Key Management: Cloud or On-Premise

Key management is one of the most critical components of Encryption. It is very important to carefully identify and design best approach suited for your needs

Key Security

  • Ensuring Secure keys with constant protection
  • Not allowing access of keys to cloud administrators

Controlling keys as the Customer

  • If a customer deletes its key, then data will be removed as well
  • Maintaining on-premise control of key

Confinement of Key

  • Utmost dedication to the key management platform
  • Never allowing key swaps

Key Rotation

  • Avoid over-use of the key which permits vulnerability
  • Re-keying data with a new key to creating a new key

3. Querying Encrypted Data:

Quite often is required to search and index encrypted data stored on-premise or in the cloud. This is a big concern for organizations since this might involve decrypting data many often and thus increasing the opportunity for a hacker to get access to decrypted data. Additionally, frequent decryption can increase the demand for system resource requirements and time.

4. Performance Overhead

Whenever data is encrypted, a performance overhead is associated with encryption. The amount of data encrypted may cause a slowdown for systems.

5. Encryption Algorithm and Key Length

Another important aspect of Encryption is the selection of the Encryption algorithm & Key Length. While selecting a higher key length can enhance Security and reduce risks of Key compromise it can cause performance impact as a higher key length will consume more resources and time. Thus a careful understanding of throughput and business needs should be evaluated for the selection of the Encryption algorithm and Key length

6. Challenges of Encryption Program Management:

When deciding on which type of encryption is best for your organization, the challenges organizations face with encryption program management are:


  • Meeting set requirements and compliances
  • Assess products/vendors available
  • Confirmation of product/vendor


  • Creating and tuning a secure environment
  • Plan for system integration


  • Set Formal Policies
  • Formatting of Data
  • Conduct Performance Test
  • Launch Application

We at Encryption Consulting can help our customers plan and design the most suitable Encryption option for securing your data irrespective of where they are stored and without compromise on business performance or user experience.

Contact us at

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Let's talk