Doing it right: Cloud encryption key management best practices

Expert Dave Shackleford takes a look at what cloud encryption key management is like today and what to know about cloud security providers' processes.

Enterprises are moving more data into the cloud than ever before, in all different types of service models. As...

the sensitivity of data moving into the cloud increases, security professionals are actively looking to protect this data using encryption, with tried-and-true techniques they've been using in their data centers for years. In some cases, however, this may not be possible or may require some different approaches and tools, especially for encryption key management.

In this tip, we'll explore what the landscape of cloud encryption key management looks like today.

Cloud key management: How it's different

The primary difference between key management in an enterprise's data center versus key management in the cloud is ownership and management of the keys. In a traditional data center, all key management functions and tools can be configured and maintained by an IT operations team. In cloud environments, there will likely be a shared model or one wholly managed and maintained by the providers.

In some cases, the type of cloud service in use will dictate the types of key management available.

Cloud key management processes will largely depend on several factors. First, in some cases, the type of cloud service in use will dictate the types of key management available. IaaS clouds have internal key management maintained for digitally signing virtual machine image templates. Public key infrastructure (PKI) is used for signing API commands and for gaining access to VM images. The private keys in this arrangement need to be maintained by the cloud consumer and can be stored internally within traditional key management platforms.

For PaaS and SaaS clouds, most key management functions are managed internally at the cloud provider, though private keys for access to applications and systems can be distributed to consumers for data, application or database access to cloud resources. In public key deployments, the key management and security is shared -- private keys distributed to consumers are controlled by the consumers. Any other internal key management will largely be the provider's responsibility.

For hybrid clouds, key management is most likely shared, and private clouds typically have key management tools and processes within the internal network environment.

Cloud key management: What to ask the provider

For cloud services that require provider-managed encryption key management, what should organizations be asking providers about their key management security processes and controls?

First, service providers should explain the types of tools and products they use to store keys. The most serious key management infrastructure includes a hardware security module, or HSM, which allows for dedicated storage with high performance key access for both encryption and decryption operations.

Next, enterprises need to ask cloud providers how keys are accessed and by whom. Keys should never be under the control of one person, and any key access should be managed jointly by two or more trusted internal team members and have an in-depth audit trail.

Enterprises should also question providers about recovery keys. Many providers do not allow for recovery of private keys under the control of the customer, but if they do, there should be stringent control of the processes involved and vetting of the consumer requesting recovery.

Lastly, if the service provides database or application access that requires multiple key access, ask how the provider maintains control and distribution of each key and how it ensures they are properly created, managed and updated or destroyed.

In a multi-tenant environment, each tenant would ideally have an individual key that is jointly managed. However, many providers have an architecture where multiple keys are involved -- one or more for each tenant -- and then an "access key" for certain resources internally. In this case, the management of any master keys or "access keys" should be carefully controlled and documented, with detailed audit trails for any access to and with these keys. Any shared key access has the potential to be riskier, especially if this key is compromised in any way.

Cloud key management: Emerging technology

Recently, NIST has released an internal whitepaper focused on cloud key management that goes into detail on potential risks and architecture solutions for key management within different cloud service models. Many new products and services are emerging to facilitate more secure key management in the cloud.

Amazon Web Services recently released its CloudHSM service, which allows organizations to leverage a dedicated hardware appliance in their cloud environments. Porticor is another vendor offering key management services, with split keys and homomorphic encryption, which allows mathematical operations to be performed on data that is already encrypted [Editor's Note: Porticor was acquired by Intuit, Inc. in 2015 and later renamed Intuit Data Protection Services].

Today, the challenges of cloud encryption key management are still a major barrier to storing sensitive data within cloud provider environments. Cloud providers and consumers are starting to solve this problem, however, and it is likely that key management will be a major focus area for cloud security in the coming months and years. With new guidance from authoritative groups and sophisticated vendor products and services, sensitive data storage in the cloud will surely get easier over time.

About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security, Lead Faculty at IANS, and a SANS analyst, senior instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, as well as the co-author of Hands-On Information Securityfrom Course Technology. Recently, Dave co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices