Thanks to Edward Snowden’s revelations about the NSA, the comprehensive hacking of Sony, and on-going legal battles over whether email stored in the cloud belongs to the people sending it or the service hosting it, more and more cloud services have moved to encrypt data. Some are going even further, offering Bring Your Own Key (BYOK) options, where the user holds the encryption keys for their own cloud data.
Google Compute Engine started offering a preview service for encrypting both data and compute with your own keys this summer, and Amazon offers both soft key management and the much pricier (and slower to set up) Cloud HSM service for EC2 and S3 instances, where your keys live in dedicated Hardware Security Modules in Amazon’s cloud. Adobe Creative Cloud now supports customer-managed data encryption keys to protect content synced to Creative Cloud accounts.
Microsoft’s Key Vault is intended to be a single, audited, versioned, secure vault that integrates with Azure Active Directory for authentication. Key Vault allows you to store passwords, configuration details, API keys, certificates, connection strings, signing keys, SSL keys and encryption keys for Azure Rights Management, SQL Server TDE, Azure Storage, Azure Disk Encryption, for your own .NET applications on Azure, and for encrypting VMs using EMC’s CloudLink Secure VM. Keys in Key Vault can be stored either as soft keys that are encrypted at rest by a system key in an HSM or loaded directly into a Microsoft HSM (in a chosen geographic region) from your own HSM, so you can create keys on premise and transfer them to Key Vault.
Dan Plastina, who runs the Microsoft Information Protection group that includes Key Vault, points out the advantages of managing keys for different systems in the same way. “The beauty here is if you come up with a mechanism that works for Office 365 workloads like Exchange, SharePoint and OneDrive for Business, and that same mechanism also works for line of business apps, for VMs, stuffing secrets into VMs, CRM, SQL Server, HD Insight, you start lighting up your Microsoft workloads with a paradigm that is very similar and training that is very similar.” He says that’s that critical if you’re considering BYOK, because of the dangers of losing your keys.
“You’re looking for something you can wrap your brain around and train your staff to do, because you do not want to lose your key because then you lose your data,” Plastina says. When you use HSM-backed keys, like Cloud HSM or BYOK in Azure Key Vault, the keys are uploaded directly from your HSM to theirs and the cloud service never sees them. That means they can’t hand your keys over – to an attacker or a government investigation. But it also means that they can’t give you back your keys.
Sign up for CIO Asia eNewsletters.