For cloud-computing key management services, the following two approaches are most utilized:
- Remote key management service: This is where the customer maintains the key management service (KMS) on premises. Ideally, the customer will own, operate, and maintain the KMS, resulting in the customer controlling the information confidentiality, while the cloud provider can focus on the hosting, processing, and availability of services. Note that hybrid connectivity is required between the cloud provider and cloud customer in order for the encryption and decryption to function.
- Client-side key management: Similar to the above listed remote key management approach, client side looks to put the customer or cloud user in complete control of encryption and decryption keys. The key difference here is that most of the processing and control is done on the customer side. The cloud provider will provide the KMS; however, the KMS will reside on the customer’s premises, where keys are generated, held, and retained by the customer. Note that this approach is typically utilized for SaaS environments and cloud deployments.
Key Management Considerations
Considerations when planning key management include:
- Random number generation should be conducted as a trusted process.
- Throughout the lifecycle, cryptographic keys should never be transmitted in the clear and should always remain in a “trusted” environment.
- When considering key escrow or key management “as a service,” carefully plan to consider all relevant laws, regulations, and jurisdictional requirements.
- Lack of access to the encryption keys will result in lack of access to the data. This should be considered when discussing confidentiality threats versus availability threats.
- Where possible, key management functions should be conducted separately from the cloud service provider to enforce separation of duties.
Key Storage in the Cloud
Key storage in the cloud is typically implemented using one or more of the following approaches:
- Internally managed: In this method, the keys are stored on the virtual machine or application component that is also acting as the encryption engine. This type of key management is usually used in storage-level encryption, internal database encryption, or backup application encryption. This approach can be helpful to mitigate against the risks associated with lost media.
- Externally managed: In this method, keys are maintained separate from the encryption engine and data. They can be on the same cloud platform, internally managed within the organization, or on a different cloud. The actual storage can be a separate instance (hardened especially for this specific task) or on a hardware security module (HSM). When implementing external key storage, consider how the key management system is integrated with the encryption engine and how the entire lifecycle of key creation through retirement is managed.
- Managed by a third party: Key escrow services are provided by a trusted third party. Key management providers use specifically developed secure infrastructure and integration services for key management. You must evaluate any third-party key storage services provider that may be contracted by the organization to ensure that the risks of allowing a third party to hold encryption keys are well understood and documented.
Related article – Key Management in Software Environments