Thales banner

Streamline Key Management Across Multiple Cloud Services

Gain operational efficiency, compliance and security by centrally managing multiple cloud provider encryption keys with CipherTrust Cloud Key Manager

Get in Touch

CipherTrust Cloud Key Manager

For virtually every organisation today, the adoption of multiple cloud services continues to expand. A growing number of organisations are aware of the Shared Responsibility Model for cloud security, with its definitive statement across all cloud consumption models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), cloud consumers are responsible for the security of their data stored and used in the cloud. In every yearly edition of the Thales Data Threat Report, organisations say that encryption is the right way to protect data in the cloud.

Cloud Providers increasingly offer their own encryption services as a convenience to their customers. But, the imperative for customer management of encryption keys for cloud provider encryption keys is growing as fast as cloud consumption. A growing number of cloud providers offer "Bring Your Own Key" (BYOK) services. BYOK enables customer-controlled cloud key management. The challenge of BYOK and cloud key management depends on the number of clouds and keys to be managed or brought to the cloud.

Cloud key management may be considered in various ways:

  • Logging into each cloud console and managing cloud keys created by the cloud provider
  • Finding a source to generate keys and then using cloud provider CLI commands to download wrapping keys and upload wrapped keys

Across multiple clouds and multiple workloads each requiring their own master key, the above steps can become cumbersome.

CipherTrust Cloud Key Manager from Thales combines support for cloud provider BYOK APIs, cloud key management automation and key usage logging and reporting, to provide cloud consumers with strong controls over encryption key lifecycles for data encrypted by cloud services.


CipherTrust Cloud Key Manager Diagram

CipherTrust Cloud Key Manager supports a growing list of IaaS, PaaS and SaaS providers. SaaS solutions include Microsoft Office365, and Salesforce Sandbox. Supported IaaS/PaaS solutions include Microsoft Azure, Microsoft Azure China National Cloud, Microsoft Azure Stack, IBM Cloud, Google Cloud Platform and Amazon Web Services.

Contact a specialist about CipherTrust Cloud Key Manager
  • Benefits
  • Features

Enjoy Enhanced IT Efficiency

CipherTrust Cloud Key Manager centralises encryption key management from multiple environments, presenting all supported clouds and even multiple cloud accounts in a single browser tab. Advanced cloud key management capabilities include automated key rotation, key expiration handling and cloud key vault synchronisation. These dramatically reduce the time required for cloud key lifecycle management. CipherTrust Cloud Key Manager goes well beyond support for BYOK with full key lifecycle management of native cloud keys as well as keys generated by its key sources.

Gain Strong Key Control and Security

Bring Your Own Key (BYOK) services enable customers to separate key management from provider-controlled encryption, offering a crucial layer of separation of duties and control. CipherTrust Cloud Key Manager delivers key generation, separation of duties, reporting and key lifecycle management that help fulfill internal and industry data protection mandates, with optional FIPS 140-2-certified secure key sources.

Fulfil Best Practices

Separate encryption key control from data encryption and decryption operations for compliance, best security practices and control of your data. Gain operational insights on encryption key usage with dashboards, reports and logs provided by CipherTrust Cloud Key Manager.

Meet Organisational Needs with Flexible Deployment Options

CipherTrust Cloud Key Manager is available in multiple form factors to meet any organisation’s needs. Both CipherTrust Cloud Key Manager and its key sources are available in all-software, cloud-friendly offerings and may be found in several cloud provider marketplaces for fast instantiation. Further, deployment in any cloud is wholly separated from cloud provider access and keys can be managed in the cloud in which the solution is deployed as well as any other reachable, supported cloud. For example:

  • A key source may be on-premises for compliance
  • A CipherTrust Cloud Key Manager instance may be deployed in Amazon Web Services or any other cloud supported for deployment
  • From there it can manage keys in AWS, Salesforce or Azure or other supported clouds

Many similar combinations are possible.

Inherently Automation-Friendly

In addition to its internal automation features which themselves provide crucial IT efficiency gains, operations for both CipherTrust Cloud Key Manager and its key sources may be fully implemented through RESTful APIs.

Key Lifecycle Automation

With the click of a button or an API request, keys are marked for automated key rotation. From then on, CipherTrust Cloud Key Manager performs key rotation automatically with comprehensive logging for IT efficiency and enhanced data security. Key rotation may be specified for keys without expiration dates, or specifically for keys to be rotated prior to their expiration dates. Multiple schedules per cloud are available.

Strong Encryption Key Security

CipherTrust Cloud Key Manager leverages the security of CipherTrust Manager, Thales Luna Network HSM or the Vormetric Data Security Manager to create keys. Secure storage is provided for clouds that deliver backup keys which can mitigate accidental key deletion in cloud consoles. You control full key metadata control during upload and for keys in use.

True Multi-Cloud Support

With support for Amazon Web Services and AWS GovCloud, Microsoft Azure, Azure Stack, Azure GovCloud, the Azure China and Germany sovereign clouds, IBM Cloud, Google Cloud Platform, plus SalesForce Sandbox as well as SalesForce GovCloud Plus, CipherTrust Cloud Key Manager keeps you in control of encrypted data across multiple clouds from a single pane of glass, including across multiple accounts. For example, CipherTrust Cloud Key Manager retrieves from the cloud provider the supported key types and then prevents upload of an incorrect key type. The solution is engineered to work with each cloud’s multi-account key management suites, including AWS inter-account key sharing and Azure “B2B” support.

Comprehensive Key Management

Deploy CipherTrust Cloud Key Manager with any number of keys already created at the cloud provider. Create cloud-native keys in the cloud console as needed. CipherTrust Cloud Key Manager will automatically synchronise its key database with the provider’s, at intervals that you can define. Key attributes such as expiration rules and usage options are all maintained. You can request creation of cloud-native keys, as well as upload BYOK-keys, from the CipherTrust Cloud Key Manager console. If cloud provider rotation rules for native keys are insufficient, you can rotate keys under the control of CipherTrust Cloud Key Manager.

CipherTrust Cloud Key Manager goes well beyond Cloud Bring Your Own Key: it is a comprehensive cloud key lifecycle manager.

The Compliance Tools You Need

CipherTrust Cloud Key Manager has the full range of logs and reports you need for fast compliance reporting, including a per-cloud operational logs and a range of pre-packaged key activity reports.

Support for Emerging Technologies

With support for cached keys, CipherTrust Cloud Key Manager adds Hold Your Own Key technology to BYOK. As a component of its RESTful APIs for the next level of automation, the product includes support for Azure Service Principle and AWS Assumed Role authentication mechanisms.

Related Resources

The CipherTrust Cloud Key Manager for Multi-cloud Environments

The CipherTrust Cloud Key Manager for Multi-cloud Environments - Report

IT trends such as cloud adoption fundamentally change how corporate data is stored, accessed, and secured, challenging perimeter-centric security models. Meanwhile the threat landscape continues to evolve with bad actors employing new attack vectors and methods exercising new...

CipherTrust Cloud Key Manager - Product Brief

CipherTrust Cloud Key Manager - Product Brief

CipherTrust Cloud Key Manager (CCKM) reduces key management complexity and operational costs by giving customers lifecycle control of cloud encryption keys with centralized management and visibility. Gain access to each cloud provider from a single pane of glass, across...

Encrypt Everything in the Cloud. OK, But What About All the Keys? - Webinar

Encrypt Everything in the Cloud. OK, But What About All the Keys? - Webinar

A review of best practices for life cycle management of AWS, Azure, Google, Salesforce and other cloud provider encryption BYOK.

CipherTrust Cloud Key Manager Introduction – Video

CipherTrust Cloud Key Manager Introduction – Video

In two minutes, learn of your responsibility to protect data in the cloud, the challenges of multicloud key management and how CipherTrust Cloud Key Manager can help you.

Watch this video to understand the purpose and get an overview of CipherTrust Cloud Key Manager.

CipherTrust Cloud Key Manager Demonstration – Video

CipherTrust Cloud Key Manager Demonstration – Video

Watch this demonstration of CipherTrust Cloud Key Manager in action.