Do cryptographic keys belong in the cloud?
Thanks to the cloud, organisations of all sizes can enjoy scalability, ease of use, and significant savings by outsourcing hardware and software ownership and maintenance in multi-tenant environments. Medium-sized companies no longer have to pay to build their own infrastructure, which makes the cloud especially appealing to this market.
However, the cloud still suffers from security issues. Migrating critical data and applications to the cloud is comparable to leaving your house key under the door mat. You have outsourced not only your infrastructure but the encryption keys to your sensitive data and files as well.
Strong cloud security requires an assessment of encryption key controls. Unless you exclusively control the encryption keys to your data, you could be at risk. Unfortunately, that is not the case with the cloud and it’s one of the reasons why we continue to get apologetic emails notifying us that our data has been compromised. Each cloud service and software-as-a-service provider represents a huge attack surface and is therefore a serious target. With everything moving into the cloud, how do you make key management work? This is a challenge that needs to be solved.
Should you put your keys in the cloud?
A multi-tenant cloud solution (applications, database, files, and everything else hosted in the cloud) is the simplest concept, since it’s easy to understand how on-premises infrastructure can be visualised as cloud instances. Organisations often assume this is what they need. However, moving key management systems (KMS) to the cloud using any of the three common cloud-based options poses significant risks.
In outsourced KMS, the cloud service provider owns the keys and they will tell you that all your data and files are secured and encrypted. That’s good – except if the provider or your account credentials to the provider get hacked (as it did in Uber's case with AWS). Your files may be encrypted, but if you’re storing your encryption keys with them, then the attacker can decrypt everything if their attack gains access to your keys as well.
Another option is cloud KMS, in which you own the keys, but they’re stored in cloud software. A software-based, multi-tenant cloud KMS is especially ill-suited for cryptographic key management. Since hardware resources are shared across multiple clients, there’s a higher level of insecurity to the protection of these keys – the Spectre and Meltdown vulnerabilities are testament to this.
The third approach is cloud HSM: you own the keys, but they’re stored in cloud hardware specifically designed for securing cryptographic keys. The “gold standard” for protecting keys are secure cryptoprocessors - hardware security modules (HSM) and trusted platform modules (TPM). Although certain risks are mitigated by using a cloud-based HSM or TPM, the fact remains that although the keys may be secure, access to them may be at risk: the applications that access these secure cryptoprocessors are still part of a multi-tenant infrastructure. Between attacking a purpose-built hardware cryptoprocessor or an application running in a multi-tenant environment, the application is always the easier target from an attacker’s point of view.
Cloud providers do offer advanced firewalls, intrusion detection and other protective measures, but security doesn’t end there. Securing the core elements of your business – sensitive data and files – against breaches requires encryption using the fundamental Laws of Cryptographic Key Management:
- Secure cryptoprocessors (HSM/TPM) must control and protect cryptographic keys
- Multiple key custodians within a single organisation must exclusively control cryptographic keys
- The parts of the application that use cryptoprocessors to work with sensitive data must not execute within public multi-tenant environments. Not only is sensitive data already unprotected in the multi-tenant environment, but so are the secrets that authenticate the application to the cryptoprocessor, potentially leading to the breach of encrypted data using the secure cryptoprocessor in the attack
The wrinkle in this situation is that there aren’t any public clouds that are able to meet these essential requirements. Organisations that leave security solely in the hands of cloud providers could be in for a rude awakening.
The keys to your kingdom
This doesn’t mean, though, that using the public cloud is out of the question. Instead,
store your sensitive data and files in the cloud while retaining exclusive control of their encryption keys under the protection of your own secure cryptoprocessor in a controlled environment outside the public cloud.
If your cloud service provider suffers a security breach and this architecture is in place, the attacker gets nothing of value. They only get access to encrypted information that is of no use to them without the keys. The benefits of the cloud are still realised while maintaining data protection. This allows companies to prove compliance to data security regulations while leveraging clouds, private or public, to the maximum extent possible.
The benefits of the cloud are real, but so are the security challenges. Even if data used by cloud applications are encrypted, the encryption keys are what’s important. Not only does the information need to be kept safe, but so do the keys. So then, mid-sized companies can’t assume cloud providers have iron-clad security. Instead, use the cryptographic key management laws to find solutions that secure critical data and protect your company’s reputation as well.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.
- » The cloud awakens: What needs to happen now to move from teenage kicks to adulthood
- » How to prevent AIOps from becoming just another cog in the machine
- » Tipping the scales in the cloud: From security risk to security’s friend
- » NASCAR moves onto AWS to uncover and analyse its racing archive
- » Doubling down on disaster recovery-as-a-service – for business continuity and beyond