Thales both giveth and taketh Bring Your Own Keys (BYOK)
There is no longer denying that encryption is a hot topic. Encryption is everywhere. We hear about it when the FBI can’t hack an iPhone, when countries want back doors to compromise it, and, now, every major cloud provider offers at least baseline encryption as part of their service.
These newbies to the land of enterprise encryption quickly learn from their prospects that offering encryption alone doesn’t earn them trust to house their data—enterprise customers and others who follow security best practices demand to control their own keys. This market demand for more control of cloud-migrated data spawned Bring Your Own Key (BYOK) APIs. Although every cloud provider seems to have a different service name, API, and process for importing keys or key material, the big guys all offer a solution. A few hyperscale cloud provider examples include the following:
- Bring Your Own Keys with AWS Key Management Service
- Azure Information Protection tenant key with Azure Key Vault
- Customer-Supplied Encryption Keys (CSEK) for Google Cloud Storage and Google Compute Engine
- Salesforce Shield Platfor m Encryption Bring Your Own Key (BYOK)
Thales giveth keys
The CipherTrust Cloud Key Manager (formally Vormetric Key Manager as a Service) continues to simplify the life cycle of BYOK management. It isn’t unusual to manage hundreds or more keys across all the different services and workloads that your business lines have in use. CipherTrust Cloud Key Manager streamlines managing these keys by discovering your existing keys, creating and storing new keys in a FIPS 140-2 device, centralizing reporting, and managing key life cycles in your multi-cloud environment with a push of a button.
Thales is continuously adding new capabilities to this service that our “as a Service” customers are now enjoying and our private deployment customers can upgrade to at any time. These new capabilities include support for Azure German and China national clouds. Our Azure Key Vault premium customers can now simply check a box for selected keys to be hardware protected and, most importantly, to automate key rotation.
This new feature allows administrators to create a policy for key rotation frequency and apply it to the keys requiring scheduled rotation with a few clicks. Now, instead of spending time tracking and rotating keys, admins can get to more strategic work.
Thales taketh keys
A BYOK API capability shouldn’t only be province of the largest cloud providers. IaaS, PaaS and SaaS providers alike partner with Thales for their data security Infrastructure and service offerings. A sample list of those providers are on our Cloud Service Provider (CSP) Partner page. Now, CSP partners can leverage a new BYOK Restful API in the Vormetric Data Security Platform to deliver file-level encryption, application-layer encryption and TDE key management with customer-supplied keys to their end customers. Thales is helping to create a level playing field for all CSPs who want to introduce BYOK support as part of their service.
Key management is the last bastion of control in the cloud
Encryption Key Management needs to be taken seriously and done very well. However, that doesn’t equate to key management having to be complex. Thales is dedicated to simplifying key management whether it is for storage, databases, big data or the cloud. We are continuously innovating to make it easier for you to secure your business.
If you want to read more about Cloud Key Management and other security best practices when migrating your workloads to a cloud service, I recommend reading this white paper, Best Practices for Secure Cloud Migration. This paper is a practical strategy guide based on the Security Guidance for Critical Areas of Focus in Cloud Computing from the Cloud Security Alliance.