Cloud Security Alliance Offers Recommendations for Using Customer Controlled Key Store

Document offers guidance for implementing a key management system (KMS) that is a dependency of a cloud service without being hosted by the service

SEATTLE – Sept. 27, 2022 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, today released Recommendations for Using a Customer Controlled Key Store. Written by CSA’s Cloud Key Management Working Group, the paper offers guidance to organizations that opt to use a customer controlled key store (CCKS), whereby the key management system (KMS) is external to a cloud service provider (CSP) despite the KMS being a dependency of a cloud service.

“Because CCKS is still relatively new within cloud computing, there isn’t a deep bench of best practices available. Even so, this pattern is growing in popularity and because of this, we felt it imperative to provide a sound set of guidelines that will help companies taking this path optimize their security and related costs, as well as their operational and business agility,” said Paul Rich, a lead author and co-chair of the Cloud Key Management Working Group.

Because CCKS deals with the integration of a chosen KMS and at least one public cloud service, the document provides recommendations for choosing, planning, and deploying a KMS within the context of an integration pattern. It offers guidance pertaining to the technical, operational, legal, regulatory, and financial issues that an enterprise must consider when opting for a CCKS.

Using a CCKS presents numerous challenges, not the least of which is establishing a rationale for selecting a more complex and costly pattern. Despite the potential hurdles, there are several reasons a company might opt to use a CCKS, including:

• Control of some of all facets of key management
• Elimination of a cloud service provider’s ability to process customer data in plaintext
• A desire to simplify operational complexity, security, and cost by reducing the number of KMS instances
• Regulatory or contractual obligations surrounding KMS, standards, or operations
• Vendor lock-in

“With this document, we hope to guide the program or project manager as they lead their company through the CCKS lifecycle, providing them with the critical information they need to successfully map the pattern to their organization,” said Michael Born, one of the paper’s lead authors.

The Cloud Key Management Working Group aims to facilitate the standards for seamless integration between cloud service providers and key broker services. Individuals interested in becoming involved in Cloud Key Management future research and initiatives are invited to join the working group.

Download the full document. Those interested in gaining a deeper understanding of Cloud Key Management Service patterns, as well as guidance for its use are encouraged to read Key Management in Cloud Services: Understanding Encryption’s Desired Outcomes and Limitations.

About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.