In the era of rapid technological change, Cloud computing has provided a way forward for companies to future-proof their business and to maintain a competitive edge. However, says Jared Naude, Synthesis Cloud Architect. with the rapid migration to Cloud technologies, security of data and applications is often the primary concern of IT teams, executives, shareholders and regulators.
Ensuring that data is encrypted and protected with the right access control policies can go a long way in protecting it from malicious actors. In the past, data encryption and key management has been a complex and expensive endeavor as specialised software and hardware needed to be procured to deliver the capability for the organisation.
Additionally, such an initiative requires support from executives and development teams which is not always easy to get. A challenge IT teams will face is knowing what assets need to be protected and then keeping a record of all these items and configurations.
If you were to ask a data centre person how many hard drives they have, or what if the hard drives are encrypted and by which key material, they are likely to laugh due to the absurdity of the question. However, a benefit of running on a Cloud platform is that you have a fabric layer that can be queried to describe infrastructure that is running.
Therefore, questions like how many hard drives (or volumes) and the encryption compliance state of each volume can easily be determined. This fabric layer can also be used to determine the compliance state of all resources and organisations that have high maturity can also create automated remediations for infrastructure that is not compliant. Operations teams can also leverage this fabric layer to turn off dev environments at night and over the weekends, leading to a 40-60% cost saving. Such capabilities are near impossible for on-prem data centres due to limitations of systems running on different underlying infrastructure.
When enabling data protection in a Cloud environment, it is critical that the native security, encryption, and key management services are considered first before considering 3rd party solutions. One needs to consider the operational overhead of running your own tooling in addition to the fact that Cloud providers have invested significant amounts of money securing their resources and services.
No organisation will be able to match the security and availability of managed services that are provided by a Cloud provider. These native services are also typically well integrated with the providers’ managed services from storage, networking, machine learning, messaging, and queuing services to name a few.
Services around key management
A common topic that will emerge when using native services is around key management. Should you Bring Your Own Key (BYOK) or Hold Your Own Key (HYOK)? This topic is dependent on the organisation but for the most part, organisations can have the Cloud provider create the key for them where they are then in control of the key.
Most regulators want to ensure the safety and management of encryption keys regardless of who created the key material and who the end user managing the key is. Thus, regulators want to ensure that organisations have full control of the keys regardless even if the key material is generated by a native service and/or managed by a 3rd party company such as a Managed Service Provider.
Keys created by native services are stored in specialised hardware devices called hardware security modules (HSMs). These devices are shared between customers but the Cloud provider ensures access control so no keys could be leaked between customers. HSMs are expensive and using native services can save significant amounts of money and lowers the barrier to entry for data protection.
Providers like AWS can also allow security teams to spin up their own HSMs where they only pay an hourly rate for each hour that the HSM is online. This can save significant amounts of money for teams that need to manage PKI environments as the HSMs are only needed during the key and certification generation of the root and intermediate certificates.