key Archives | Encryption Consulting

Cloud Key Management Service Options, Education Center

Cloud Key Management Services: Advantages and Disadvantages

by Puneet

Posted on September 24, 2020Last updated on August 18, 2022

Services	Advantages	Disadvantages
Bring Your Own Encryption (BYOE)	The Bring Your Own Encryption (BYOE) concept is the desired trust model for organizations that require full control over access to their data regardless of where it is stored or processed. Regulated industries, such as financial services and healthcare, require keys to be segregated from the cloud Data Warehouse compute and storage infrastructure. BYOE enables organizations to comply with this requirement with encryption applied to the most sensitive columns, and dynamic masking or filtering access to other sensitive columns – achieving the optimal balance between data protection, compliance, analytics and usability of the data. Without exposing encryption keys or sensitive data to the cloud, BYOE enhances the security of data within all cloud services such as Database as a Service (DBaaS) environments, as data is always encrypted before being sent to the cloud.	There is an increased latency problem as any data element has to go through repeated cycles of encryption and decryption for utilization in cloud environments, thereby inducing latency related issues. As there are limited interfaces available, there is a requirement to build Custom API’s for integration with multiple cloud service providers, which might not be feasible for a small/medium sized organizations. As the organizations adopt a move to cloud approach, this approach puts increasing pressure on the on-premises infrastructure with respect to scaling, performance, etc.
Bring Your Own Key-Cloud HSM	No Key exposure outside the HSM. FIPS advanced level (FIPS 140-2 Level 3 and above) complaint hardware-based devices meeting all regulatory requirements. Can perform all core functions of an on-premises HSM: key generation, key storage, key rotation, and APIs to orchestrate encryption in the cloud. Designed for security. Dedicated hardware and software for security functions.	Need specialized, in-house resources to manage key and crypto lifecycle activities. HSM-based approaches are more cost intensive due to the use of a dedicated hardware appliance. Performance overheads.
Bring Your Own Key-Cloud KMS	No specialized skilled resources are required. Enables existing products that need keys to use cryptography. Provides a centralized point to manage keys across heterogeneous products. Native integration with other services such as system administration, databases, storage and application development tools offered by the cloud provider.	Key exposure outside HSM. FIPS 140-2 Level 3 and above devices not available.
Software Key Manage-ment	With this approach, service accounts, generic administrative accounts which may be assumed by one or more users, can access these secrets, but no one else.	Not compliant with regulatory requirements which specify FIPS-certified hardware.
Secret Management	Run the organizations own key management application in the cloud. Lower cost than HSMs and full control of key services, rather than delegating them to your cloud provider. Can perform all core functions of an HSM: key generation, key storage, key rotation, and APIs to orchestrate encryption in the cloud.	N/A

Tags:

advantages bring your own key BYOK. cloud cloud key management cloud key management services cloud-hsm cloud-kms disadvantages key key management key management services

Encryption Services

About the Author

Puneet

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Cloud Key Management Service Options, Education Center

What is Software Key Management?

by Puneet

Posted on September 24, 2020Last updated on August 18, 2022

Encryption key management software is used to handle the administration, distribution, and storage of encryption keys. Proper management will ensure encryption keys, and therefore the encryption and decryption of their sensitive information, are only accessible for approved parties. IT and security professionals use these solutions to ensure access to sensitive data remains secure.

Encryption key management software also provides tools to protect the keys in storage and backup functionality to prevent data loss. Additionally, encryption key management software includes functionality to securely distribute keys to approved parties and enforce key sharing policies.

Certain general encryption software provides key management capabilities. Still, those solutions will only offer limited features for key management, distribution, and policy enforcement.

To qualify for inclusion in the Encryption Key Management category, a product must:

Provide compliance management capabilities for encryption keys
Include key storage and backup functionality
Enforce security policies related to key storage and distribution

A software key management approach can be used instead of an HSM based SaaS approach or a cloud KMS approach. Also, secrets management is an efficient approach to manage secrets, passphrases, etc.

For organizations who do not use advanced hardware for key management on-premises but want to ensure their cloud providers do not own and cannot be compelled to turn over keys to decrypt their data, software-based key management is suitable.

Advantages

Run the organization’s key management application in the cloud.
Lower cost than HSMs and full control of key services, rather than delegating them to your cloud provider
Can perform all core functions of an HSM -key generation, key storage, key rotation, and API interfaces to orchestrate encryption in the cloud

Disadvantages

Need to handle failover and replication yourself
Not compliant with regulatory requirements that specify FIPS-certified hardware
The approach is only suitable for IaaS, as there is a need to install and configure your servers to perform key management

Tags:

AWS Azure cloud service provider GCP HSM key key management management software key software key management

Encryption Services

About the Author

Puneet

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Others