How can you implement legitimate security requirements in the cloud without hindering business agility? Encryption shows the way. External key management lets users retain the greatest possible control over their keys.
The cloud is the new standard; digitalization without flexible platforms is almost inconceivable. Even companies that continue to rely on traditional IT delivery models are increasingly feeling the pressure to move to the cloud. This is mainly due to the competition, which uses the cloud to gain an edge in the market for business agility. Who wants to leave the field open to competitors? As demand for business agility grows, so does cloud use and the cloud market. In October 2022, Gartner saw growth of nearly 19 percent to $490 billion for 2022, "cloud continues to be the largest chunk of IT spend".
Cloud creates new business opportunities, but IT managers are often skeptical: the question of security in the cloud remains evergreen; countless studies also prove this attitude. But security reservations are not primarily based on mistrust of hyperscalers. The security best practices built into the platforms are convincing: "We cannot achieve this level in our own data centers," some say. The reservations over cloud security are based more on a lack of in-house expertise. Specialist security know-how is rare and sought after in the market. But the shared responsibility concept requires users to make their own security contributions.
It is vital to ask about cloud security and take a second – and third – look. After all, processes in the cloud should be at least as reliable and secure as in the company's own data center. And this is not just a technical question. First and foremost, the business suffers if cloud services are unavailable. Consequently, cloud security is becoming essential for future business success; security concepts deserve high priority.
Encryption plays an essential role in cloud security architectures. Almost spontaneously, experienced cloud users and newcomers ask, "What encryption options are available?" Encryption is not a panacea, but it does solve a variety of security requirements. Needs that a company must meet both in its own interests and triggered by external demands, such as regulatory requirements.
Providers like Amazon Web Services offer a broad portfolio of security services covering the complete security lifecycle: Identify, Protect, Detect, Respond, and Recover. This includes encryption solutions. Encrypting data ‘in transit’ is comparatively easy: in the enterprise sector, data in transit is often encrypted. Tried-and-tested methods such as Transport Layer Security (TLS) are used between data centers, servers, and end devices. Encrypting data ‘at rest’ needs platform-specific services. At AWS, encryption is available for most services, including all storage flavors and many databases, Amazon EBS, Amazon S3, Amazon RDS, Amazon Redshift, Amazon ElastiCache, AWS Lambda, and Amazon SageMaker. With its Nitro Compute instances, AWS also offers confidential computing for encrypting data ‘during processing’.
Sophisticated encryption procedures supported by a robust key policy increase trust in the cloud. But one critical question always looms over encryption. Who has the key? You're probably familiar with this movie scene: the main character pulls up in a luxury car in front of a hotel. A smartly dressed chauffeur jumps in the vehicle as the key flies through the open window. The hero enters the hotel; the chauffeur drives away. It's a scene we've surely seen dozens of times. Many a filmmaker gets a kick out of retelling the story: The driver takes the car for a spin or even disappears entirely with the vehicle while the owner is oblivious. It's rather like cloud encryption.
Companies have three ways to implement encryption. The example above is pure ‘cloud-based’ encryption, where encryption providers generate, manage and store keys on their platform. This works well between spouses (but just not always with strangers 😉) and simplifies management immensely. Alternatively, companies can use ‘bring your own key’. Here, the user generates and manages the keys. The cloud provider gets access to the keys and can use them. In the third mode, the keys stay with and are stored by the user. In this mode, they have complete control over their keys – and their content and databases.
However, complete control of key management means effort, which grows with the breadth of encryption used for AWS services. An alternative to self-management is external key management as a service from a trusted EKM provider. This approach is behind T-Systems' External Key Management (EKM) for Amazon Web Services. Here, as your key manager, T-Systems hosts the keys in hardware security modules (FIPS 140-2 Level 3 validated HSM) in a highly secure, highly available Telekom data center. The AWS Key Management Service (AWS KMS) is connected to these back-end systems. This enables our customers to use the keys in a very similar way to AWS-managed customer master keys (CMK): The keys are integrated with all AWS services that support AWS KMS.
With External Key Management, enterprises significantly increase their level of security – to the point where even tightly regulated industries can process sensitive data on AWS. But EKM doesn't just solve compliance needs by enabling secure and auditable key management processes to meet, for example, PCI-DSS, HIPAA, and the EU-DSGVO requirements. External key management systems also simplify multi-tenant scenarios, allow the easy use of decentralized storage systems, and support key rotation. This IT security best practice (necessary for PCI-DSS, for example) for the regular exchange of keys can be automated using external key management solutions.
External key management can play an important role in your AWS security architecture. In particular, with managed external key management, you open the door to processing sensitive data using AWS. If you’d like our help or an initial chat to explore your options, you are welcome to contact us.