Cloud Security Alliance Releases Key Management in Cloud Services: Understanding Encryption’s Desired Outcomes and Limitations
November 11, 2020The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today released Key Management in Cloud Services: Understanding Encryption’s Desired Outcomes and Limitations, which examines both the uses and misconceptions of key management systems (KMS), which are used to manage cryptographic keys and their metadata. This guidance provides recommendations for using KMS in conjunction with cloud services to aid in meeting security and compliance requirements. It also makes suggestions for cloud service providers that provide key management functionality to customers.
“KMS is a means to an end, not an end in itself. While the capabilities it enables are tools that must serve business needs, it’s imperative that we also recognize that KMS and encryption cannot address all business requirements,” said Paul Rich, co-chair of the Cloud Key Management working group and one of the paper’s lead authors. “Misconceptions about the capabilities of encryption persist, and regulatory requirements for key management and encryption are commonly unclear, undefined, or poorly understood. It’s critical, therefore, that we not only understand the desired business outcomes of using encryption to protect data, but its limitations, as well.”
Increasingly, organizations are realizing the many advantages that come from the cloud, including technological agility, elastic scale, speed to market, and lowered capital expenditures. Despite the benefits, cloud services also present challenges, particularly in terms of data privacy and security. The reason for this is that while encryption, as a technology, is used for secrecy/privacy in the transmission and storage of data, it’s not the only technology used for this purpose – there are many cases where the use of encryption can be pointless, costly, and provide a false sense of security. Once encryption is established as a required or recommended piece of a technology architecture, it’s crucial to understand the dynamics of encryption key generation, distribution, handling, and destruction.
Written by CSA’s Cloud Key Management working group, the document examines the four primary cloud key management patterns that have emerged over the past decade, providing a snapshot of their attributes and challenges, as well as usage recommendations for:
- Cloud Native Key Management System. Here, KMS is built and owned by the same provider that delivers the cloud service the customer consumes, and all components of the KMS are in the cloud.
- External Key Origination. This pattern builds upon the Cloud Native model above, allowing for key generation ceremonies that originate with an external KMS.
- Cloud Service Using External Key Management System. The use of a cloud service where the KMS is hosted entirely external to the cloud service, either wholly on the customer’s premises, wholly hosted by a third party chosen by the customer, or a combination of the two
- Multi-Cloud Key Management Systems. This pattern illustrates the ability to blend approaches for KMS implementations and cloud services.
“Understanding the organization’s obligations and goals for data privacy and security should be the precursor to any technological solution or implementation, and that includes the use of encryption. A great deal of human energy and time has been wasted implementing encryption, where the outcome failed to deliver the expected data privacy or security. Establishing clear business and data privacy and security expectations can prevent some unpleasant outcomes,” said Mike Schrock, Senior Director Global Business Development – Cloud Strategy for the Thales Group, lead author and co-chair of the Cloud Key Management working group.
The Cloud Key Management Working Group aims to facilitate the standards for seamless integration between cloud service providers and key broker services. Companies and individuals interested in learning more or joining the group can visit the Working Group Join page.