Thales eSecurity Blog

Understanding keys is key to understanding

The newest CipherTrust Cloud Key Manager capability

CipherTrust Cloud Key Manager is a multi-cloud encryption key management solution ideal for customers using Microsoft Azure Key Vault, Amazon Web Services Key Management Service, Microsoft Office365 or Salesforce Shield Platform Encryption.

Before I talk about the importance of the newest feature of Cipher Trust Key Manager let’s define some terms to get everyone thinking similarly about keys and key management.

What is an encryption key? A key is an object consisting of at least

  • an identifier, such as the key “ID”, short for identification and
  • key material which is the bits used with an encryption algorithm to encrypt or decrypt data.

Now let’s dig a little deeper. These are my shorthand definitions when I’m talking about key management with customers and prospects:

  • key version pertains to the version of the key material
  • key versioning is the process for creating new key versions
  • key rotation has several industry-accepted definitions. Either (a) changing a key entirely, including its ID and material, (b) a synonym for key versioning, or (c) using a new key or key version, potentially for data rekeying
  • data rekeying is the use of a key, or key version, with which the data was originally encrypted, to decrypt and then re-encrypt that data with a new key or new key version.

There are two reasons why defining these terms is important. First, guidance issued by the National Institutes of Standards and Technologies (NIST) provides a wide range of best practices to protect against key security compromises, including that keys, or at the very least, key material, must be changed regularly. Second is that different products across the data security industry provide different key management functions. A couple of examples from the Thales eSecurity product line illustrate the definitions above:

Given keys, key versions, key versioning, key rotation and data rekeying, consider that enterprises like yours are deploying multiple cloud environments, each with hundreds of thousands of workloads, and managing thousands of keys. To fulfill best practices, the keys must be separate from data encryption and decryption operations and key material must be changed regularly. Put it all together: a big task!

Understanding keys is key to understanding

This brings me back to automated key versioning, the newest feature of CipherTrust Cloud Key Manager. For each federated cloud login, a key rotation schedule is defined, and then any key visible in that login can have rotation assigned to it. From then on, CipherTrust Cloud Key Manager does all the work. Across thousands of keys, labor is saved, mistakes are avoided and compliance can be assured.

One last thing: remember the minimum two elements of keys I denoted above? Let’s add a third: key version.

Cloud adoption gives enterprises like yours the ability to access, use and analyze your most critical data as fast as possible. CipherTrust Key Manager provides the key management you need to ensure the data is always secure.

To continue the conversation, feel free to tweet me @cyberswimmer or message me on LinkedIn at https://www.linkedin.com/in/cyberswimmer. As always, you’re free to leave a comment below.