Best Practices for cloud computing encryption Key Management

Companies are moving more data to cloud computing than ever before, covering many different types of service patterns. As the sensitivity and importance of moving into cloud computing data grows, security experts are actively seeking to use cryptography to protect such data, and the technology they use is the technology that they have been using and trusted for years in their data centers. However, in some cases, this goal is not easy to implement, or you need to use a number of different methods and tools, especially for encryption key management.

In this article, we will explore some of the current situation of cloud encryption key Management today.

Cloud Key Management: what's different

The main difference between Enterprise data Center Key management and cloud Key management is the ownership and management of the key. In traditional data centers, all key management functions and tools are configured and maintained by an internal IT operations team. In the cloud computing environment, it is possible to adopt a key sharing mode or to be managed and maintained entirely by the supplier.

The Cloud Key management program depends largely on a number of factors. In some cases, the type of cloud service used will determine the type of available key management. IaaS Cloud Computing maintains internal key management for digitally signed virtual machine mirroring templates. Use public Key Infrastructure (PKI) for API command signing and authorization to access virtual machine mirroring. Private keys in this structure need to be maintained by cloud computing consumers, and such keys can be stored within the traditional key management platform.

For PAAs and SaaS cloud computing service patterns, most key management functions are managed internally by cloud computing vendors, while private keys for accessing applications and systems can be assigned to consumers to facilitate access to cloud computing resources such as data, applications, or databases. In public key deployment, key management and security are shared, that is, the control of the key distribution to consumers lies in the consumers themselves. All other key management responsibilities are primarily borne by vendors.

For mixed cloud computing, Key management is also likely to be shared, while private cloud computing is typically equipped with key management tools and programs in an internal network environment.

Cloud Key Management: What questions should be asked to the vendor

For cloud computing services that require vendor management encryption Key management, what questions should enterprise users ask the vendor about key management security procedures and control measures?

First, the service provider should clarify the tools and product types they use to hold the key. The most important key management infrastructure includes a hardware security module, or HSM, which allows dedicated storage devices to perform encryption and decryption operations with High-performance key access.

Second, businesses need to ask cloud-computing providers who and how the key is accessed. In theory, key management should not be entirely controlled by a single person, and any key access should be managed by two or more trusted members of the internal team, and in-depth audit credentials should also be established.

The enterprise should also ask the vendor how to recover the key. Currently, many vendors do not allow the private key to be restored under the control of the customer, but if they allow it in the future, they should strictly control the program involved in the recovery key and the approval of the client's request to restore the private key.

Finally, if a service provider database or application access requires multiple key accesses, you should ask the vendor how to maintain control measures and the distribution of each key, and how they ensure that the key is created, managed, updated, or destroyed correctly.

In an ideal multi-tenant environment, each group has a separate key that is managed together. However, many vendors use schemas that involve multiple keys (one or more per tenant), and then have an "access key" to a resource inside. In this case, any master key or access key management should be tightly controlled and logged with any access and detailed audit credentials associated with those keys. Any shared key access has a greater risk, especially if the key is compromised in any way.

Cloud Key Management: Emerging Technologies

Recently, NIST published an internal white paper on cloud Key management, which deals with the potential risk of key management and the details of the architecture solution for different cloud computing service patterns. Many new products and services are emerging on the market to facilitate the implementation of more secure key management in cloud computing.

Amazon Network Services recently released its CLOUDHSM service, which allows enterprise users to make full use of their dedicated hardware facilities in their cloud computing environment. Porticor is another provider of key management services, which employs a split key and homomorphic encryption technology that enables the system to perform mathematical operations on encrypted data.

Currently, cloud computing encryption Key management challenges remain a major barrier to storing sensitive data in a cloud-computing vendor environment. However, cloud computing providers and consumers have begun to address this problem, and it is conceivable that key management will be a key area of cloud computing security for some time to come. The storage of sensitive data in cloud computing is bound to be easier to implement over time as authoritative group opinions and sophisticated supplier products and services continue to emerge.