Enterprise-level cloud usage requires strong encryption measures. This is what various regulations like EU-GDPR, EU Standard Contractual Clauses, or Binding Corporate Rules expect from enterprises when they state, “appropriate technical and organizational measures to protect data”. That covers beyond pure encryption – where encryption keys are stored and managed.
AWS offers a huge portfolio of security services on its platform. For encryption, e.g., the Key Management Service (KMS) and Cloud Hardware Security Modules (HSM) are provided as on-platform services. But this convenient approach usually doesn’t meet the requirements of authorities, especially when it comes to workloads for customers in regulated industries or to processing sensitive data. Also, many cloud users want to comply with internal guidelines to protect company-internal data. Management of keys on the cloud provider’s platform isn’t sufficient to achieve the desired level of control of data.
T-Systems and AWS together designed “External Key Management for AWS” (EKM) to solve this challenge and to comply with EU regulations. With the solution, the key management is separated from cloud service usage. AWS customers fulfill regulatory demands, achieve a high-security level, and can exploit the innovation capabilities of AWS cloud. T-Systems provides the solution in a fully scalable manner from a T-Systems data center in Frankfurt. To provide a good user experience, EKM is seamlessly integrated with AWS. Furthermore, it includes end-to-end logging and monitoring of key access for full auditability.
EKM is offered as a module under the roof of Data Protection as a Managed Service (DPaaS). But clients can opt to use it as a stand-alone offering for their AWS usage. T-Systems is an AWS Premier Consulting Partner with an additional AWS-certified Security Services competency and provides long-standing expertise for cloud security.
We take GDPR compliance very seriously at ITONICS, so when we were researching how to comply with the Schrems II ruling, we started looking for ways to encrypt our data with keys managed inside the EU. We were delighted to be invited to Deutsche Telekom’s Key Management Service beta program to test the integration with several AWS services. The results of these tests were positive, and we are now moving to the implementation phase of the project.
