It is vital to ask about cloud security and take a second – and third – look. After all, processes in the cloud should be at least as reliable and secure as in the company's own data center. And this is not just a technical question. First and foremost, the business suffers if cloud services are unavailable. Consequently, cloud security is becoming essential for future business success; security concepts deserve high priority.
Encryption as a core discipline
Encryption plays an essential role in cloud security architectures. Almost spontaneously, experienced cloud users and newcomers ask, "What encryption options are available?" Encryption is not a panacea, but it does solve a variety of security requirements. Needs that a company must meet both in its own interests and triggered by external demands, such as regulatory requirements.
Encryption with AWS
Providers like Amazon Web Services offer a broad portfolio of security services covering the complete security lifecycle: Identify, Protect, Detect, Respond, and Recover. This includes encryption solutions. Encrypting data ‘in transit’ is comparatively easy: in the enterprise sector, data in transit is often encrypted. Tried-and-tested methods such as Transport Layer Security (TLS) are used between data centers, servers, and end devices. Encrypting data ‘at rest’ needs platform-specific services. At AWS, encryption is available for most services, including all storage flavors and many databases, Amazon EBS, Amazon S3, Amazon RDS, Amazon Redshift, Amazon ElastiCache, AWS Lambda, and Amazon SageMaker. With its Nitro Compute instances, AWS also offers confidential computing for encrypting data ‘during processing’.
Who holds the key?
Sophisticated encryption procedures supported by a robust key policy increase trust in the cloud. But one critical question always looms over encryption. Who has the key? You're probably familiar with this movie scene: the main character pulls up in a luxury car in front of a hotel. A smartly dressed chauffeur jumps in the vehicle as the key flies through the open window. The hero enters the hotel; the chauffeur drives away. It's a scene we've surely seen dozens of times. Many a filmmaker gets a kick out of retelling the story: The driver takes the car for a spin or even disappears entirely with the vehicle while the owner is oblivious. It's rather like cloud encryption.
External key management – higher security
Companies have three ways to implement encryption. The example above is pure ‘cloud-based’ encryption, where encryption providers generate, manage and store keys on their platform. This works well between spouses (but just not always with strangers 😉) and simplifies management immensely. Alternatively, companies can use ‘bring your own key’. Here, the user generates and manages the keys. The cloud provider gets access to the keys and can use them. In the third mode, the keys stay with and are stored by the user. In this mode, they have complete control over their keys – and their content and databases.
EKM as a managed service?
However, complete control of key management means effort, which grows with the breadth of encryption used for AWS services. An alternative to self-management is external key management as a service from a trusted EKM provider. This approach is behind T-Systems' External Key Management (EKM) for Amazon Web Services. Here, as your key manager, T-Systems hosts the keys in hardware security modules (FIPS 140-2 Level 3 validated HSM) in a highly secure, highly available Telekom data center. The AWS Key Management Service (AWS KMS) is connected to these back-end systems. This enables our customers to use the keys in a very similar way to AWS-managed customer master keys (CMK): The keys are integrated with all AWS services that support AWS KMS.
More than just compliance
With External Key Management, enterprises significantly increase their level of security – to the point where even tightly regulated industries can process sensitive data on AWS. But EKM doesn't just solve compliance needs by enabling secure and auditable key management processes to meet, for example, PCI-DSS, HIPAA, and the EU-DSGVO requirements. External key management systems also simplify multi-tenant scenarios, allow the easy use of decentralized storage systems, and support key rotation. This IT security best practice (necessary for PCI-DSS, for example) for the regular exchange of keys can be automated using external key management solutions.
External key management can play an important role in your AWS security architecture. In particular, with managed external key management, you open the door to processing sensitive data using AWS. If you’d like our help or an initial chat to explore your options, you are welcome to contact us.