cloud icon

Understanding the Role of Hardware Security Modules in the Hybrid Cloud

More businesses have come to rely on the use of public cloud environments as these environments have been proven to provide more security than typical on-premises data centers. However, while these cloud solutions are considered secure, it is essential that businesses maintain control of their own critical cryptographic keys to keep data that is migrating between their data centers and the cloud secure at all times. The data is kept safe, and its privacy guaranteed only when it is continuously encrypted. This requires the security that can only be provided by hardware security modules.

Maintaining Cryptographic Key Ownership through BYOK

Best practices call for businesses to maintain control over their cryptographic keys. This assures sound governance, compliance and internal controls. Businesses must be mindful that by taking advantage of what the cloud offers, that the theft, loss or misuse of just even one critical key could significantly impact their organization in a negative way by:

  • Loss of control over data and vendor lock-in
  • Loss of revenue
  • Business operational process disruption
  • Causing serious damage to their reputation
  • Triggering falling share prices
  • Legal consequences

“Bring Your Own Key” (BYOK) allows businesses to maintain cryptographic key control and take full advantage of what a hybrid cloud environment offers. When applications run, encryption keeps data protected at all times, whether it is:

  • At rest in a database
  • In transit between user devices and data centers
  • At public endpoints through TLS

BYOK ensures that third-parties, including cloud service providers, cannot gain access to the business’s critical keys in an unencrypted form. This provides further protections against insider attacks or other unauthorized access to data. It also prevents businesses from falling victim to a cloud vendor lock-in. Without BYOK, a business can find moving their data to a different cloud or subscription service to be costly and time-consuming.

Keeping Keys Secure in a Hybrid Cloud Environment with an HSM

Properly managing the life-cycle of the many cryptographic keys a business may use is essential to maintaining the security of applications and data in a hybrid environment. Encryption can only be effective when these crypto keys are protected, and this is where a hardware security module (HSM) is a must along with a centralized key management system to manage key life-cycles.

An HSM protects critical cryptographic keys in a dedicated hardware-based appliance that provides a root of trust over the business’s keys, data, and applications because it:

  • Protects cryptographic material and keeps it hidden at all times
  • Keeps decryption keys separate from encrypted data to provide an extra layer of security in the event of a data breach thus preventing exposure of encrypted data
  • Strengthens encryption practices through the entire key lifecycle from generation to storage, distribution, back-up, and ultimately, destruction
  • Limits access through a strictly controlled network interface
  • Is built with secure hardware that is resistant to hacking attempts
  • Runs on a secure operating system
  • Simplifies compliance and auditability through certified hardware and easier audit reporting
  • Allows for scalability and multi-tenancy of the security architecture

A hybrid cloud mandates a network of HSMs which need to be as follows:

1. The master HSM in the organization’s central data center, allowing for centralized key life cycle management. The local data center can then be managed directly by this central HSM.

2. Data centers in decentralized locations or in the cloud need a local or cloud-based HSM.

These subordinate HSMs receive application keys in an encrypted form (through a so-called Key Encryption Key KEK). The keys are accommodated in the local or cloud HSMs (never accessible to third parties or cloud service providers). Data is encrypted at rest and in transit, and securely used in applications, protected by Public Key or Symmetric Key Infrastructures. The owner of the central HSM stays in control and is able to conduct central audits, whereas third parties are unable to access data in its encrypted state.

References

Productos relacionados

Productos relacionados

To find more press releases related with below topics, click on one of the keywords:

¿En qué podemos ayudarle?

Hable con uno de nuestros especialistas y descubra cómo Utimaco puede ayudarle hoy mismo.
Ha seleccionado dos tipos diferentes de Download, por lo que necesita presentar formularios diferentes que puede seleccionar a través de las dos pestañas.

Su(s) solicitud(es) de Download:

    Al enviar el siguiente formulario, recibirá enlaces a las descargas seleccionadas.

    Su(s) solicitud(es) de Download:

      Para este tipo de documentos, es necesario verificar su dirección de correo electrónico. Recibirá los enlaces a las Download seleccionadas por correo electrónico después de enviar el siguiente formulario.

      Descargas de Utimaco

      Visite nuestra sección de descargas y seleccione recursos como folletos, fichas técnicas, libros blancos y mucho más. Puede ver y guardar casi todos ellos directamente (pulsando el botón de descarga).

      Para algunos documentos, es necesario verificar su dirección de correo electrónico. El botón contiene un icono de correo electrónico.

      Download via e-mail

      Al hacer clic en dicho botón se abre un formulario en línea que le rogamos rellene y envíe. Puede recopilar varias descargas de este tipo y recibir los enlaces por correo electrónico simplemente enviando un formulario para todas ellas. Su colección actual está vacía.