Tips for Managing Encryption Keys

We all know that data residing in the cloud needs to be encrypted, but organizations must look beyond their data encryption requirements and consider their approach to managing encryption keys. 

Simply put, encryption keys are the mechanism that makes data encryption and decryption possible. Failure to handle these keys properly can lead to security breaches, data loss or other problems. Here are some things to think about when developing (or assessing) strategies for managing encryption keys.

Managing Encryption Keys: In the Cloud or On-premises

One of the first things that organizations need to be thinking about when it comes to managing encryption keys is whether it is better to place their root of trust in the cloud or on premises.

If an organization is already managing encryption keys on premises, it may be advantageous to continue to do so.

Most of the major cloud providers will allow you to import your own encryption keys by using a process that is commonly referred to as “bring your own key” (or “bring your own encryption”). In addition, if an organization has been managing keys in house all along, its key management system is almost certainly already set up to meet compliance mandates. Conversely, a cloud provider’s key management system, while secure, may lack the flexibility required to meet your compliance mandates.

With all that said, managing encryption keys on premises can be expensive and complex. It also requires specialized expertise, and the organization must have robust security in place to prevent keys from being compromised.

For these reasons, if your organization does not yet have a key management solution in place, it is likely best to use a cloud-based option.

However, that does not always mean using the key management services offered by the major cloud providers. Indeed, most larger organizations take a multi-cloud approach to their IT operations. A key management solution that is bound to one of the hyperscale clouds might not be the easiest thing to use in a multi-cloud environment. One alternative is to use a third-party key management service that specializes in managing encryption keys in the cloud.

“Bring Your Own Key” Services

For organizations generating their own keys, it is extremely important to understand the implications of bring-your-own-key services offered by cloud providers. Each cloud provider has its own way of handling bring-your-own-key services, but there are two basic concepts that are more or less true across the board.

First, when you take advantage of a bring-your-own-key program, the key that you generate in house might not actually be used to encrypt your data--at least, not directly. More often, the key that an organization supplies to a cloud provider is used to encrypt other keys, which are then used to encrypt the actual data. 

The reason why this concept is so important is because of data portability.

Imagine a situation in which an organization violates best practices and generates a key that it issues to a cloud provider but also uses on premises for encrypting data in the organization’s data center. If an organization decided to move encrypted data from the cloud into its own data center, it would not be able to decrypt that data using its own key because even though the organization gave a copy of that key to the cloud provider, the cloud provider actually used a different key to encrypt the data.

Second, in most cases bring-your-own-key programs exist only as a tool for helping an organization adhere to compliance mandates by demonstrating to compliance auditors that processes are in place for managing keys. Because cloud providers generate a new encryption key based on the key that was supplied to them, these bring-your-own-key programs do little to keep data private from cloud providers . As such, the cloud provider is ultimately still in control of the encryption key and still theoretically has the ability to access any data that has been encrypted using that key.

Bottom Line

If an organization has stringent compliance requirements that it must adhere to with regard to key management, it may make sense for the organization to continue generating its own keys in house or to use a third-party key management service. Otherwise, it will likely be simpler and more cost effective to allow a cloud provider to handle the key management process.