Encryption key management is a taxing challenge at the best of times. While encryption enables access control to your data, poor key management and storage can lead to it being compromised. When you add the additional risk of having a third-party controlling physical and logical access to your infrastructure the challenge of keeping your encryption keys secure becomes much harder. The main reason behind this is that key management is being combined with key storage. It's similar to you renting a safe deposit box at a bank and letting them keep the keys to it. Access to your encryption keys gives your provider access to your data.
Poor practices by your provider, such as weak key generation, storage or management practices could easily leak the key. Sloppy password practices led to Twitter's recent security problems. A corrupt employee could add a backdoor to your machine to access the keys or they could access your machine while it is running or live migrate it over an unencrypted link. A corrupt employee could even suspend it and search the memory file for keys. If at any time you think a key has been stolen, your data is at risk. I would, in this situation, revoke the key and re-encrypt your data with a new key.
Backups present another problem for encryption key management because it's difficult to track your provider's archiving media. For long-term archive storage I would encrypt your data and then send it to a cloud data storage vendor. This way you hold and control the cryptographic keys. This segregation of encryption key management from the cloud provider hosting the data also creates a chain of separation, which helps protect both the cloud provider and you in the event of compliance issues. Crypto-shredding is also an effective technique for mitigating cloud computing risks. This is where the provider destroys all copies of the key ensuring that any data that's outside your physical control is rendered inaccessible. If you manage your own keys, crypto-shredding should be an important part of your strategy too.
Cloud computing introduces other risks for key management. Vulnerabilities have been found in all virtualization software that can be exploited to bypass certain security restrictions or gain escalated privileges. Also new technologies mean we can't assume existing processes are still secure. Security researchers Stamos, Becherer and Wilcox recently argued that virtual machines don't always have enough access to the random numbers needed to properly encrypt data. This is because they have fewer sources of entropy than regular machines which can use mouse movements and key strokes to create an entropy pool used to generate random encryption passkeys. This results in the generation of more easily guessable keys for encryption. It's not an immediate threat but highlights that we still have a lot to learn about the security issues affecting cloud computing and virtualized computing.
The main area of concern though is how strong and how well implemented are your provider's security policies. Do they apply a key management lifecycle; how are keys generated, used, stored, backed up, recovered, rotated, and deleted? What data sanitization practices do they employ to destroy key material once it's no longer needed? Contracts with your cloud provider should include a "no key storage" clause that states, "Any keys provided for use will not be retained any longer than absolutely necessary". This kind of clause is not unprecedented. The Payment Card Industry Data Security Standards state that merchants must not save credit card CVS numbers even if they use them for authentication. If, at the end of the day, you're not happy with a cloud vendor's contract or processes don't use them.
For more information:
- Read more about managing SaaS risk for compliance.
- Learn how to integrate the security of physical and virtual machines in this expert tip.
This was first published in March 2010