Thales eSecurity Blog

Data Protection on Demand: The Key to Cloud-Based Key Management

Paul Hampton
Paul Hampton | Payment Security Expert More About This Author >

Some organizations presume that encryption is a one-and-done affair that can solve all of their security woes. But that’s not the case. Even when organizations effectively implement encryption, they might forget to safely store their encryption keys. This oversight poses a serious threat to organizations’ data security, as digital criminals can compromise those keys and gain access to an organization’s sensitive data.

Fortunately, organizations can minimize these risks by managing their own keys. There are many options for secure key management. That being said, hardware security modules (HSMs) might be their best bet.

HSMs: Understanding Their Use and Benefit

Thales describes a hardware security module as “hardened, tamper-resistant hardware devices that strengthen encryption practices by generating keys, encrypting and decrypting data, and creating and verifying digital signatures.” Generally, organizations use these types of devices to accomplish several important business functions, including:

  • Comply with regulatory standards of cybersecurity: Many regulatory cybersecurity bodies require organizations to use and secure these devices to maintain compliance. Take the Payment Card Industry Security Standards Council (PCI SSC), for instance. This body used the work of the National Institute of Standards and Technology (NIST) and others to release version 2.0 of its Payment Card Industry (PCI) PTS HSM Security Requirements in June 2016. Organizations must abide by these guidelines to comply with the Payment Card Industry’s Data Security Standard (PCI DSS).
  • Achieve higher levels of data security and trust: HSMs don’t just fulfill a compliance function. Organizations also commonly deploy HSMs on their own accord to secure their cryptographic keys as well as provision their encryption, authentication and digital signing services. Via these applications, organizations can prevent their keys from falling into the wrong hands and thereby continue to use them for the purpose of securing transactions, identities and applications.
  • Maximize business agility: The ability to safeguard transactions, identities and applications is essential to business agility. Organizations are undergrowing a digital transformation in which they’re adding new data and assets to their networks. HSMs are ideal to accommodate these new IT resources because they provide the degree of flexibility needed to safely issue and secure encryption keys as business needs change and organizations grow.

The Challenges of Deploying an HSM in the Cloud

Notice that I said “a degree of flexibility” in the previous paragraph. Indeed, HSMs aren’t perfect. Per Cryptomathic, organizations can run into serious problems if they want to use multiple HSMs for scaling and resilience purposes, as getting the right setup can be difficult and require the use of vendor-specific tools. There’s also the difficulty associated with expanding HSMs’ functionality; even adding a few cryptographic functions could require organizations to seek out a firmware upgrade or new hardware devices entirely.

That being said, perhaps the greatest challenge associated with HSMs is their use in the cloud. O’Reilly notes that organizations that have both infrastructure in the cloud and an on-premise HSM could experience a latency issue when every encryption and decryption request between the HSM and an application must run over the Internet. Some think they can remedy this situation by using additional HSMs, but according to Equinix, the deployment of additional devices across their infrastructure to cover their cloud-based needs doesn’t work out from a “logistical or CapEx perspective.”

The IBX data center & colocation provider goes on to explain that deploying an HSM on a cloud provider’s physical infrastructure doesn’t work out for organizations, either:

Cloud providers serving hundreds or thousands of clients would be unwilling to accommodate placement of HSMs for individual clients throughout their physical infrastructure. It would be akin to going to a fine restaurant and informing the waiter that, although the menu is superb, you prefer to bring your own salad and dessert.

Realizing the Need for Data Protection on Demand

As illustrated above, traditional HSMs aren’t an effective key management solution for organizations with cloud-based assets. But that doesn’t mean key management is impossible in the cloud. It just means that organizations need to look for a platform that specifically provides cloud-based key management services.

That’s where SafeNet Data Protection on Demand comes in. The platform shifts the focus away from hardware by enabling organizations to deploy and manage key management and HSM services from the cloud. It also takes the evolving business into serious consideration. With Data Protection on Demand, organizations can launch the services they want within a matter of minutes—all without any upfront capital investment. The focus here is on business scalability and elasticity. As such, all Data Protection on Demand services easily integrate with existing IT infrastructure, applications and services across multiple cloud environments so that organizations can protect data anywhere and everywhere it’s accessible using a single point of control.

When it comes to deploying HSMs, organizations have a lot to consider, especially as they continue to add new IT resources and operated to a greater degree within cloud environments.

Learn how you can use SafeNet Data Protection on Demand to explore your organization’s key management horizons.