What is Encryption Key Management?
As organizations increasingly migrate applications, workloads, and data to the cloud, establishing how to manage the cryptographic keys that protect these critical resources is an area of much debate. While some organizations are content to allow cloud service providers (CSPs) to generate and manage cryptographic keys for them, others might feel it’s at odds with their security policies. Entrust KeyControl provides Bring Your Own Key (BYOK) functionality for single or multiple cloud platforms, giving you flexibility, scalability, and complete control of your encrypted workloads across leading CSPs.
What is Bring Your Own Key (BYOK)?
While cloud computing offers many advantages, a major concern has been security, because data physically resides with the cloud service provider (CSP) and out of the direct control of the owner of the data. Encryption protects the data in the cloud, and to ensure its confidentiality and integrity, securing the encryption keys is of paramount importance. Bring Your Own Key (BYOK) allows enterprises to generate strong keys in a tamper-resistant hardware security module (HSM) and securely export its keys to the cloud, thereby strengthening its key managment practices and retaining control and management of their encryption keys.
BYOK to Amazon Web Services
Entrust KeyControl provides Bring Your Own Key (BYOK) functionality for single or multiple cloud platforms, giving you flexibility, scalability, and complete control of your encrypted workloads in Amazon Web Services. Watch the video below of our Amazon AWS Key Management Service integration to see the BYOK model in action.
What is Secrets Management?
Secrets management refers to the necessary digital authentication used to secure your credentials, including passwords, APIs, keys, and tokens for your various applications. Securing your application secrets with encryption allows you to safely navigate your privilege access credentials without fear of compromising your security.
What is a Secrets Management System?
To control access to sensitive data, organizations require user credentials, a secret code between the software and user. Deploying a sound secret management system is critical to secure all systems and information. Authorities must be able to create and revoke credentials as customers and employees come and go or simply change roles, and as business processes and policies evolve. Furthermore, the rise of privacy regulations and other security mandates increases the need for organizations to demonstrate the ability to validate the identity of online consumers and internal privileged users.
Challenges Associated with Secrets Management
- Attackers that can gain control of your secrets management system can issue credentials that make them an insider, potentially with privileges to compromise systems undetected.
- Compromised secrets management processes result in the need to reissue credentials, which can be an expensive and time-consuming process.
- Credential validation rates can vary enormously and can easily outpace the performance characteristics of a secrets management system, jeopardizing business continuity.
- Business application owners’ expectations around security and trust models are rising and can expose credential management as a weak link that may jeopardize compliance claims.
Hardware Security Modules (HSMs)
While it’s possible to deploy a secrets management platform in a purely software-based system, this approach is inherently less secure. Token signing and encryption keys handled outside the cryptographic boundary of a certified HSM are significantly more vulnerable to attacks that could compromise the token signing and distribution process. HSMs are the only proven and auditable way to secure valuable cryptographic material and deliver FIPS-approved hardware protection.
HSMs enable your enterprise to:
- Establish a robust root of trust protecting the keys that encrypt your organization's secret credentials
- Secure token signing keys within carefully designed cryptographic boundaries, employing robust access control mechanisms with enforced separation of duties in order to ensure that keys are only used by authorized entities
- Ensure availability by using sophisticated key management, storage, and redundancy features
- Deliver high performance to support increasingly demanding enterprise requirements for access to resources from different devices and locations
What is an Asymmetric Key or Asymmetric Key Cryptography?
Asymmetric cryptography uses a pair of linked keys to secure data. One key, the private key, is kept secret by its owner, and is used for signing and/or decryption. The other, the public key, is published and can be used by anyone to verify messages signed by the private key or to encrypt documents to the owner of the private key.
What is a Symmetric Key?
In cryptography, a symmetric key is one that is used for encryption, decryption, and message authentication. This practice, which is also referred to as "secret key cryptography," means that to decrypt information, one must have the same key that was used to encrypt it. The keys, in practice, represent a shared secret between parties that can be used to maintain a private information link. The keys can be used by two or more parties. They can also be used by just one party (e.g. for the purpose of encrypting backups).
One benefit of symmetric cryptography is that it is notably faster than asymmetric cryptography. A well-known example of a symmetric cryptographic use case is tokenization.
What is key transport?
During key transport (where one party selects the secret keying material), encrypted secret keying material is transported from the sender to the receiver. The key transport schemes use either public key techniques or a combination of public key and symmetric key techniques (hybrid). The party that sends the secret keying material is called the sender, and the other party is called the receiver.
What is key agreement?
During key agreement, the derived secret keying material is the result of contributions made by both parties. Key agreement schemes may use either symmetric key or asymmetric key (public key) techniques. The party that begins a key agreement scheme is called the initiator, and the other party is called the responder.
What is key establishment?
Secret keying material may be electronically established between parties by using a key establishment scheme, that is, by using either a key agreement scheme or a key transport scheme.