Key Management when using Cloud Services
Key management is the management of cryptographic keys in a cryptosystem. In order to achieve security in a system, cryptographic algorithms are used to generate keys which are later encrypted and decrypted to provide the requested information in a secure way. Cloud key management regards the service hosted on a cloud and where one can manage the symmetric and asymmetric cryptographic keys as on premise.
Encryption key management is crucial to preventing unauthorized access to sensitive information.
(Encryption) Key management is important when dealing with security and privacy protection of the data contained, in order to prevent data loss/breach/contamination and comply with the relevant regulatory requirements. Key Management Systems, including hardware security modules and other cryptographic tools, are commonly used to meet compliance and data control requirements in addition to providing security benefits. Examples of reference standards that are widely used to guide and constrain KMS designs include NIST (the United States National Institute of Standards and Technologies, which authors the Federal Information Processing Standards, Common Criteria, and PCI DSS (Payment Card Industry Data Security Standard).
What is CSA doing to address the challenges in cloud key management?
Cloud services are becoming ubiquitous in organizations of all sizes and customers are encountering many obligations and opportunities for using key management systems with those cloud services. As an area of emergent technical focus there is little independent analysis and guidance in the public domain for addressing the intersection of key management and cloud services.
The Cloud Key Management Working Group will educate and provide guidance for the use of traditional and cloud key management systems with, and between, cloud services.
The Cloud Key Management working group aims to facilitate the standards for seamless integration between CSPs and key broker services.
Cloud Security Research for Cloud Key Management
CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.
Key Management when using Cloud Services
The purpose of this document is to provide guidance for using Key Management Systems (KMS) with cloud services, whether the key management system is native to a cloud platform, external, self-operated, or yet another cloud service. Recommendations will be given to aid in determining which forms of key management systems are appropriate for different use cases. A cornerstone document for developing CSA EKM guidance is NISTIR 7956 (Cryptographic Key Management Issues & Challenges in Cloud Services. However, NISTIR 7956 does not address the necessity to first understand the business requirements and determine if encryption and KMS are even appropriate technologies.
Press Coverage
Article Title | Source | Date |
---|---|---|
Cloud Security Alliance Releases Key Management In Cloud Services: Understanding Encryption’s Desired Outcomes And Limitations | AIthority | November 10, 2020 |