The broad use of multiple cloud services, including software-as-a-services (SaaS) applications and infrastructure-as-a-service (IaaS) platforms, has become the new normal of corporate computing. Users are increasingly relying upon these cloud-delivered applications and cloud-resident workloads for business-critical purposes, resulting in sensitive data being stored across multiple public cloud environments and on-premises, resulting in both multi- and hybrid clouds.
Compliance and Operational Key Management Challenges for Cloud-resident Data
Today, multiple IT meta trends, including mobility and cloud adoption, are simultaneously and fundamentally changing how corporate data is stored, accessed, and secured, challenging perimeter-centric security models and complicating compliance with industry regulations. At the same time, the threat landscape continues to evolve with bad actors employing new attack vectors and methods and internal threats exercising new data ex-filtration techniques. But one constant remains: Security should be applied as close to the data as possible, an especially relevant consideration for data stored by cloud services in physical locations into which the customer lacks visibility and control.
Multi-cloud Adoption Increases Cloud Data Security Concerns
IT is evaluating many new projects through the lens of cloud-first initiatives, which is driving the wide adoption of cloud services. In fact, according to ESG research, 74% of IT professionals surveyed said that their organizations currently use software-as-a-service. While the use of multiple SaaS applications has been commonplace for years, the use of services from multiple infrastructure-as-a-service providers has grown in popularity as well. In fact, 81% of the participants in research conducted by ESG who indicated they are using IaaS services report consuming these services from two or more cloud infrastructure services providers.
This broad consumption of cloud services has created an acute concern around storing sensitive data in one or more public clouds due to its strategic and, thus, intrinsic value to a company. As such, it’s not surprising that previously conducted ESG research revealed that more than half (53%) of respondents surveyed indicated they were very concerned about storing sensitive data in the cloud. 2 And in the context of multi-cloud adoption, the top challenge cited by participants in the same research was maintaining strong and consistent security across disparate cloud computing technologies and services. In response, according to ESG research, both cloud security and data security are two of the most commonly selected areas of cybersecurity in which organizations expect to make significant investments.
Many regulations are infrastructure-agnostic in that they require organizations to apply the same processes and controls independent of whether the data in scope is on-premises, in the cloud, or both. For example, PCI DSS requires dual control with respect to the separation of data and keys, as well as separation of duties in the form of role-based access to key management software. PCI DSS, along with GLBA/FFIEC and FISMA, requires the use of NIST-certified AES encryption and FIPS 140-2-compliant key management. Meeting and maintaining compliance with such industry regulations can be complicated by the prevalent use of cloud services. Furthermore, regional laws and regulations that govern data sovereignty and privacy, including the European Union’s General Data Protection Regulation (GDPR), are increasingly relevant to conducting business internationally, typically requiring both access controls and custodianship of data and keys.
Extending BYOK with Flexibility of The CipherTrust Cloud Key Manager for Multi-clouds
The CipherTrust Cloud Key Manager from Thales eSecurity extends native BYOK offerings with full capabilities across multiple cloud services, and is offered as a service and in customer-management deployment modes.
Support for Multiple Cloud Services
The CipherTrust Cloud Key Manager allows organizations to bring their own encryption keys and centrally manage the lifecycle of those keys across many of the most broadly used and business-critical cloud services.
- Software-as-a-service (SaaS): The CipherTrust Cloud Key Manager supports Salesforce.com via integration with Salesforce Shield’s BYOK service as well as Microsoft’s Office 365 office productivity suite.
- Infrastructure-as-a-service (IaaS): The CipherTrust Cloud Key Manager supports and extends the BYOK services of both Amazon Web Services (AWS) and Microsoft Azure.
Thales eSecurity offers two deployment models for the separation of the control path and data path. Both offer FIPS 140 compliant key protection.
- CipherTrust Cloud Key Manager is offered as a service in the cloud for both the management and storage of customer-created encryption keys. It has a subscription-based pricing model that aligns with SaaS models, allowing organization to treat all of the associated costs as operational expenses.
- CipherTrust Cloud Key Manager can also be deployed on-premises or as a private cloud single-tenant solution for both the management plane and encryption key vault. This implementation option can be partially subscription-based with the customer managing and deploying both or either the management plane and/or the key vault in a public cloud; for example, via the use of an Amazon Machine Image (AMI).