Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How do key aliases affect cloud encryption key management?

Amazon Web Services added support for key aliases to help improve enterprise cloud encryption key management. Learn what key aliases are and the benefits they bring to the enterprise.

Amazon Web Services recently added support for updating key aliases for its Key Management Service. What are the...

benefits of using a key alias? Are there any risks associated with key aliases? If so, how can they be mitigated?

Amazon Web Services' Key Management Service enables users to create and manage cryptographic keys used to protect data in AWS.

Encryption keys are generally used within a single region. For example, data encrypted in Amazon's us-west-2 region would be encrypted with a different key than a replicated version of that data stored in us-east-1. This can make it difficult to keep track of keys used to encrypt data across regions. Application code, for example, would have to maintain information about each key-region pairing.

Key aliases alleviate some of the cloud encryption key management burden by allowing administrators to associate a name string with each key. These names -- or aliases -- may be used in multiple regions. Code that runs in multiple regions does not need to manage multiple keys, and can instead refer to a key alias.

Key aliases are useful when rotating keys. Key rotation is a security best practice that mitigates the risk of data leaks due to compromised keys; it serves a similar purpose to changing passwords. If others were to learn an administrative password, they would have access to that account for as long as that password was in place. Similarly, an ex-employee with a copy of an encryption key or someone who has otherwise obtained a copy of one of your encryption keys would have access to all data encrypted with that key.

The recently announced service from AWS enables administrators to update a key alias without first deleting the previous key. This was a shortcoming in previous implementations that required a key alias to be deleted and then recreated with a new key, which left the alias unstable for the period of time between the deleting and recreating operations.

While key aliases are not keys themselves, their names should be protected. Additionally, aliases should be descriptive and easily distinguished from each other so keys are not applied to the wrong data due to an ambiguous or confusing key alias.

Ask the Expert:
SearchCloudSecurity expert Dan Sullivan is ready to answer your application security questions -- submit them now. (All questions are anonymous.)

Next Steps

Don't miss these cloud encryption key management best practices

This was last published in August 2015

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Has your enterprise considered using key aliases to ease cloud encryption key management?
Cancel
Hmm. What are the legal issues associated with these, as opposed to the key itself? Case law isn't really settled yet.
Cancel

-ADS BY GOOGLE

SearchSecurity

  • Passive Python Network Mapping

    In this excerpt from chapter two of Passive Python Network Mapping, author Chet Hosmer discusses securing your devices against ...

  • Protecting Patient Information

    In this excerpt from chapter two of Protecting Patient Information, author Paul Cerrato discusses the consequences of data ...

  • Mobile Security and Privacy

    In this excerpt from chapter 11 of Mobile Security and Privacy, authors Raymond Choo and Man Ho Au discuss privacy and anonymity ...

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly

Close