Understanding Cloud Encryption and Key Management – Part 1

Posted: July 23, 2020
Category: Cloud

There are a variety of benefits for organizations that migrate to the cloud—accessibility, agility, scalability, and cost to name a few. At the same time, storing data in the cloud introduces security concerns and highlights the need for encryption of data while it is at rest in the cloud. That is where encryption and key management come in, and why we are going to spend time in this post taking a closer look at cloud encryption and key management.

There are a number of cloud key management options available—with a range of security and complexity. The options basically exist on a spectrum—on the far left is the simplest and least secure and on the far right the organization has complete control of their own encryption keys.

There are 6 options to choose from within this spectrum. You need to understand the basics of how each cloud key management solution works so you know what the tradeoffs are between security and complexity and you can make informed decisions about which is the right choice for your data. Let’s start by taking a look at the three options that are a function of the cloud provider.

Default Encryption

Default encryption provided by the cloud platform is the option from the far left of the spectrum. It is the easiest, and also the least secure choice available. As the name implies, this encryption is typically enabled by default. In some cases, you may have to configure it yourself by checking a box to enable it. With default encryption, the cloud provider generates and stores the encryption keys on their own internal hardware security modules (HSM) and uses these keys to encrypt your data. By definition, this is the simplest way to go, but the tradeoff is that you give up full ownership of your data to the cloud provider and you must inherently trust that the cloud provider will effectively manage and protect the encryption keys.

Native KMS

The major cloud platform providers offer an alternative solution that provides essentially the same protection as default encryption, but lets you manage your own encryption keys. With a native key management system (KMS), the keys are still generated and stored by the cloud provider, but they are directly managed by you. Native KMS gives you the ability to manage the lifecycle of they keys, and allows you to control who can perform which operations against a specific key. Native KMS also benefits from tight integration with the platform and other native services, enabling you to easily build cloud applications.

Cloud HSM

Another native cloud encryption and key management option is cloud HSM. This gives you better security and more control, while still leaving much of the infrastructure management and support to the cloud provider. With cloud HSM, you have a dedicated high-assurance root of trust appliance built around well-tested and specialized hardware that is hosted from the cloud provider data center. These are FIPS 140-2 level 3 certified appliances that give you full ownership and control over your keys. Because the HSM is hosted in the cloud provider data center, the cloud provider typically manages provisioning, high availability, maintenance, and backups of your keys, freeing you to focus on management and application development.

In the second part of this two-part series, we will cover the remaining three options: bring your own key (BYOK), bring your own encryption (BYOE), and hold your own key (HYOK). These all give you full ownership and control over your keys outside a SaaS or cloud provider, with each one aimed at a different use case.


This blog was written by Victor Mendoza, Senior Cloud Security Consultant at Set Solutions.