Key Management with Agility: In a cryptosystem, key management refers to the management of cryptographic keys. This involves generating, sharing, storing, using, crypto-shredding, and altering keys. It concerns the creation of cryptographic protocols, key servers, user practices, and other essential protocols.
Designed to provide the rigor and security required for the most sensitive transactions, Hardware Security Modules (HSMs) are widely used by financial services, enterprises, and government entities, as the most secure way to manage encryption. The core requirements for encryption key management are universal:
- Refined Security
In terms of key management, HSMs are tasked with compliantly managing the lifecycle of encryption keys used across an organization’s estate of applications. This includes creating, managing, storing, distributing, and retiring or revoking keys.
For any cryptographic framework, sophisticated key management systems are important because encrypted information is only as secure as the encryption keys. If the keys are compromised, then so is the encrypted data.
An on-premises key management solution provides organizations complete and isolated control over their key management. For example, financial services organizations handling transaction processing require systems and networks optimized to process a very high volume of data with minimal latency (the delay).
To meet compliance, they require primary keys to be stored in secure, tamper-resistant hardware. What about organizations that operate in countries with absolute requirements on data localization? A cloud-only provider may not retain a local data center in that geographic location. As you work to monitor your organization’s IT operations, ask yourself:
- Will the infrastructure able to manage higher user volumes and transactions?
- How will my corporation cope with a service outage if we encountered a downtime?
The cloud offers access to on-demand scalability — ideal for cryptographic operations that can experience significant spikes in usage. The cloud can increase capacity and facilitate remote access to vital business functions, especially now when redundancy and scalability are more important than ever.
For example, the cloud could represent an ideal solution for on-demand scalability for a retailer with an existing payment processing infrastructure that’s overloaded and delaying or declining transactions as a result. This defends a sudden surge in demand or can serve as a stand-in in the event of a full-blown outage, and you’re only paying for the capacity you need when you need it.
When moving workloads to the cloud, security is of paramount importance. Major public cloud providers — including Google Cloud Platform, Azure, and AWS — offer functions to help secure these workloads and applications; and allow users to self-manage encryption keys, using an approach recognized as Bring Your Own Key (BYOK). BYOK allows organizations to retain control of their own cryptographic keys even after moving to the cloud.
One Hybrid Option Works For Many
Many organizations definitely prefer to own and physically oversee their own Hardware Security Modules (HSMs), but they also seek the accessibility and convenience of the cloud. A hybrid model would contain a combination of on-premises HSMs and cloud HSMs to account for:
This model is frequently adopted by organizations that possess enormous on-premises HSM estates, but want to limit any further investments in on-premises and want to tap into the scalability of the cloud. With a hybrid infrastructure, if an organization notes an unexpectedly significant volume, cloud-based Hardware Security Modules (HSMs) can seamlessly provide increased capacity, preventing slowdowns or outages.
A few years ago, on-premises remained the sole option for key management. That has changed, and you presently secure the option to move completely to the cloud or adopt a hybrid model. As you’re considering your options, propose these seven questions of your cryptographic solution:
- Integration: Does it integrate with your current systems?
- Resources: Do you have a dedicated key management and crypto team?
- Cost: Hardware is capex-centric, cloud is an operating expense model.
- Security: Look for validation under FIPS 140-2 Level 3 and PCI HSM standards. If financial services are employing it, then shouldn’t you?
- Scalability: Does it scale to address your needs?
- Compliance: Will the infrastructure pass audits?
- High Availability: Does it eliminate singular points of failure in real-time?
In the light that your organization is facing scalability issues, interruptions, access failure, it might be time to extend your critical infrastructure beyond your physical premises. Fortunately, you secure several options: moving to the cloud, renting rack space, or seeking hybrid options.
Managing encryption key management with agility is more crucial than ever to account for a newly remote workforce, data center and social distance problems, and an increasingly complex range of cyber threats, not to mention the ever-present need to account for traffic peaks, balance workloads, and maintain uninterrupted access.