Best practices for cloud computing encryption key management

Best practices for cloud computing encryption key management

Enterprises are moving more data to cloud computing than ever before, covering a variety of different service modes. With the increasing sensitivity and importance of migrating to cloud computing data, security experts are actively seeking to use encryption technology to protect such data, the technology they use is exactly the technology they have been using and trusting in their data centers for years. However, in some cases, this goal is not easy to implement, or different methods and tools are required, especially for encryption key management.

In this article, we will discuss the situation of cloud computing encryption key management today.

Cloud computing Key Management: what are the differences?

The main difference between enterprise data center key management and cloud computing key management lies in the ownership and management of keys. In traditional data centers, all key management functions and tools are configured and maintained by an internal IT Operation Team. In the cloud computing environment, it is possible to adopt a key sharing mode or be completely managed and maintained by the supplier.

The cloud computing Key Management Program depends largely on a number of factors. In some cases, the type of the cloud computing service used determines the type of available key management. IaaS cloud computing provides a digital signature virtual machine image template to maintain internal key management. Use public key infrastructure (PKI) for API command signature and authorized access to Virtual Machine images. Private keys in this structure need to be maintained by cloud computing consumers. Such keys can be stored in the traditional key management platform.

For PaaS and SaaS cloud computing service models, most key management functions are managed internally by cloud computing vendors, the private keys used to access applications and systems can be allocated to consumers for convenient access to cloud computing resources such as data, applications, and databases. In public key deployment, key management and security are shared, that is, the control of keys distributed to consumers lies in the consumers themselves. All other key management responsibilities are primarily borne by the supplier.

For hybrid cloud computing, key management is also likely to be shared, while private cloud computing is usually equipped with key management tools and programs in the internal network environment.

Cloud computing Key Management: questions to be asked to suppliers

For cloud computing services that require suppliers to manage encryption key management, which of the following questions should enterprise users ask suppliers about key management security procedures and control measures?

First, service providers should clarify the tools and product types they use to save keys. The most important key management infrastructure is a hardware security module, or HSM, which allows dedicated storage devices to perform encryption and decryption with high-performance Key access.

Second, enterprises need to ask Cloud computing vendors who are using their keys and how they are accessed. Theoretically, key management should not be completely controlled by a single person. Any key access should be managed by two or more trusted members in the internal team, and in-depth audit creden。 should also be established.

Enterprises should also ask suppliers how to restore keys. At present, many suppliers do not allow the customer to restore the private key under the control of the customer, but if they allow it in the future, then they should strictly control the procedures involved in restoring the key and approve the customer's request for restoring the private key.

Finally, if the database or application access of the service provider requires multiple access keys, you should ask the supplier how to maintain the control measures and distribute each key, and how they ensure that keys are correctly created, managed, updated, or destroyed.

In an ideal multi-tenant environment, each group owner has a separately managed key. However, the architecture adopted by many vendors involves multiple keys (one or more for each tenant), and an "access key" for a specific internal resource ". In this case, the management of any CMK or "access key" should be strictly controlled and recorded with any access and detailed audit creden。 related to these keys. Access to any shared key is highly risky, especially if this key is disclosed in any way.

Cloud computing Key Management: Emerging Technologies

Recently, NIST released an internal White Paper on cloud computing key management, which mainly involves details about potential risks and architecture solutions of key management in different cloud computing service models. Many new products and services are emerging in the market to facilitate safer Key Management in cloud computing.

Amazon Network Service recently released its CloudHSM service, which allows enterprise users to make full use of their dedicated hardware facilities in their cloud computing environment. Porticor is another supplier that provides key management services. It uses split-type keys and homomorphic encryption technology, which allows the system to perform mathematical operations on encrypted data.

Currently, the challenge of cloud computing encryption key management is still a major obstacle for storing sensitive data in cloud computing vendor environments. However, cloud computing vendors and consumers have begun to solve this problem. We can imagine that in the future, key management will become a key area of cloud computing security. As the opinions of authoritative groups and mature suppliers' products and services emerge, the storage of sensitive data in cloud computing will become easier to implement over time.