Thales Blog

Multi-Cloud Key Management (New Series)

April 11, 2017

Adrian Lane | More About This Author >

By Adrian Lane ( (guest author)

This blog first appeared on Securosis (

Running IT systems atop public cloud services is a reality for most companies. Just about every company uses Software-as-a-Service to some degree, with many having already migrated back office systems like email, collaboration, file storage and customer relationship management software. But now we are also witnessing the core of the data center – financial systems, databases, supply chain and enterprise resource planning software – moved to public Platform and Infrastructure ‘as-a-Service’ (PaaS, IaaS) providers. It’s common for medium and large enterprises to run SaaS, PaaS and IaaS from different providers, in parallel with on-premise systems. Some small firms we speak with no longer have a data-center, with all of their applications hosted by third parties.

Cloud services offer an alluring cocktail of benefits; they are cost effective, reliable, agile and secure. While many of these advantages were never in question, security was the last major hurdle for customers. As such, most cloud service providers focused on customer security concerns, and now offer a extensive capabilities for data, network and infrastructure security. In fact, most customers can realize as good or better security in the cloud than what is possible with in-house systems. With the removal of this last impediment, we are witnessing a growing number of firms embrace IaaS for critical applications.

Infrastructure as a Service means handing over the ownership and operational control of your IT infrastructure to a third party. That does not mean that the responsibilities of data security go with it. The provider ensures compute, storage and networking components are secure from other tenants in the cloud, but you must protect your data and how applications are allowed to access that data. Some of you may trust the cloud provider, some may not. Or you may trust one cloud service, but not others. Regardless, to maintain control of your data you must engineer cloud security controls to ensure compliance with internal security requirements as well as regulatory and contractual obligations. In some cases you will leverage security capabilities provided by the cloud vendor, and in other cases you will bring your own and run them atop the cloud.

Encryption is the ‘go-to’ security technology in computing. So it should be no surprise that encryption technologies are omni-present with cloud computing. The vast majority of cloud service provider enable network encryption by default to protect data in transit and prevent hijacking. And the majority of cloud providers offer encryption for data at rest to protect files and archives from unwanted inspection in the event data is leaked from the cloud service. In many ways encryption is another commodity, and part of the cloud service you pay for. However, encryption is only effective when the encryption keys are properly protected. Just as with on-premise systems, when you move data to cloud services, it is critical to properly manage and secure encryption keys.

Controlling encryption keys – and by proxy your data – when adopting cloud services is one of the more difficult tasks when moving to the cloud. In this research series we discuss the challenges specific to multi-cloud key management. We will help you in selecting the right strategy given there are many possible combinations for you to choose from. For example, you need to decide who creates keys (you or the provider), where key are managed (on-prem or in-cloud), how they are stored (hardware, software), policies for how keys are to be maintained, how to scale-up in a dynamic environment, and how they integrate with each different cloud (e.g.: Saas, PaaS, IaaS, Hybrid) service models you may select. And you can still choose to select your own encryption library, or call upon the cloud service to encrypt for you. All said you have wonderful set of choices to meet any use case, but piecing it all together is a challenge. As such we will discuss each of these options, and discuss how each customer requirements map to the different deployment options, and what to look for in a key management systems.