In a recent blog I covered the Cloud Security Alliance (CSA) publication: Top Threats to Cloud Computing – Pandemic Eleven. The paper discusses cloud security themes and considers a range of cloud-related threats for practitioners and those planning migration to the cloud. I found it to be insightful and informative. Last week another CSA publication was announced: Recommendation for Using a Customer Controlled Key Store.
Figure 1: Front cover illustration, Recommendations for Using a Customer Controlled Key Store, CSA
This paper is one I am very familiar with, having co-authored as part of the CSA Cloud Key Management working group who have met regularly on-line, discussed, debated and subsequently published the recommendations. As suggested by the title, this one focusses on cloud practitioners who have deliberately decided to use an external customer controlled key store or key management service (KMS) rather than one offered natively by the Cloud Service Provider. This is best described by an illustration.
Figure 2: Leveraging the services of a Cloud-Native KMS and importing key(s) from an external source
The paper covers in detail the considerations when Choosing, Planning and Deploying a Customer Controlled Key Store.
I won’t steal the thunder of the paper by reporting the contents in a blow-by-blow manner. I’ll leave that to the readers to click on the link above and access the paper directly from the CSA website. However, the subject of Customer Controlled Key Store does align well with products on the Entrust multi-cloud portfolio. First are the nShield hardware security modules (HSMs) which provide a root of trust for cryptographic functions being generated in a FIPS 140-2 Level 3 device. This can be an on-prem device or utilising an as a service model, nShield as a Service – depending on the customer need. Next is Entrust KeyControl which is a virtualized key management server (KMS) or to use the CSA terminology Customer Controlled Key Store. It is a FIPS 140-2 Level 1 software based key repository which simplifies the management of encrypted workloads by automating the lifecycle of encryption keys; including key storage, backup, distribution, rotation, and key revocation. When used in conjunction with an nShield HSM you get the added benefit of rich entropy and hardware based random number generator. So if you are perhaps thinking of adopting a customer controlled key store with your preferred Cloud Service Provider why not download the paper to get up to speed on the choosing, planning and deploying aspects and of course Entrust will be happy to guide you in the selection of HSM and key store solutions.
Learn more about Entrust's multi-cloud security solutions.