Want to keep your data safe in the cloud? You'll need to manage your own encryption keys. Luckily, any decent cloud provider will give you the tools to do just that. It's a critical part of the shared responsibility model that keeps everyone's data secure.
Where did this come from?
This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. The CCM provides a cybersecurity control framework for cloud computing. It was created by the Cloud Security Alliance to help organizations assess the security risk of cloud providers and guide the implementation of security best practices.
For more background, check out the Cryptography, Encryption & Key Management whitepaper from AWS which dives deep into the concepts behind this control.
Who should care?
This one is critical for:
- Security engineers responsible for ensuring data confidentiality
- Compliance officers who need to meet regulatory requirements around encryption
- Developers building applications that store sensitive data in the cloud
What is the risk?
The biggest risk is unauthorized access to sensitive data. If an attacker is able to access the encryption keys, they can decrypt and steal the data those keys protect. This could lead to:
- Disclosure of confidential intellectual property
- Exposure of regulated PII/PHI data resulting in hefty fines
- Reputational damage from a high-profile data breach
Managing your own keys ensures that access to encrypted data is tightly controlled. Even a compromised cloud provider account would not allow decryption without the keys.
What's the care factor?
For most organizations, this should be a high priority control to implement. The consequences of not doing it are just too severe to ignore. Especially for public-facing applications or those storing high-value data, robust key management is a must-have, not a nice-to-have.
Small businesses with a limited attack surface and minimal sensitive data may be able to accept the risk. But for enterprises and regulated industries, it's not optional.
When is it relevant?
You need to think about CSC key management anytime you are:
- Storing sensitive, regulated, or high-business-impact data in the cloud
- Building applications that provide strong guarantees around data protection and privacy
- Leveraging cloud services that offer built-in encryption capabilities
Some exceptions might be:
- Storing only low-sensitivity public data
- Using SaaS applications that don't allow control over encryption
- Keeping all sensitive data on-premises and using cloud only for ephemeral compute
What are the trade offs?
Encrypting everything and tightly controlling keys requires extra effort and expertise. Some potential downsides are:
- Added complexity to the application architecture and deployment process
- Increased overhead for encryption/decryption operations which could impact performance
- Challenges with indexing and searching encrypted data
- Risk of losing keys which could render data unrecoverable
You'll need to ensure you have the right tools and talent to do key management at scale. In most cases, the long-term risk reduction is worth the upfront investment.
How to make it happen?
The exact implementation will depend on your cloud provider and use case, but at a high level you should:
- Define the CSC key management policy, including key rotation schedules and cryptographic standards
- Determine the types of keys you need (data encryption keys, master keys, hardware security modules)
- Select the appropriate key management tools from your cloud provider (e.g. AWS KMS, Azure Key Vault, GCP Cloud KMS)
- Generate and securely store master keys either in a hardware security module (HSM) or key management system (KMS)
- Use the master keys to encrypt the data encryption keys used for bulk encryption of data
- Store encrypted data keys alongside the encrypted data for easy access
- Implement mechanisms to rotate keys on a defined schedule or in response to potential compromises
- Put tight access controls in place so only authorized users and applications can access the keys
- Log all key usage for auditing and anomaly detection purposes
- Test your encryption and key management setup to ensure it's working as expected
What are some gotchas?
One common issue is not having the right IAM permissions configured for your key management and encryption/decryption operations. For example, in AWS you might need:
kms:Encrypt- Gives permission to encrypt data keyskms:Decrypt- Allows decryption of data keyskms:ReEncrypt- Enables key rotationkms:DescribeKey- Allows viewing key metadatakms:CreateGrant- Enables programmatic key access
Be sure to follow the principle of least privilege and only assign the minimum permissions necessary.
You also need to be extremely careful about how you manage and rotate keys. Losing a master key can be catastrophic, so ensure you have a robust backup and recovery process in place.
What are the alternatives?
If you don't want to take on the complexity of managing your own keys, you have a couple options:
- Use provider-managed keys - AWS, Azure, and GCP all offer services that handle key management for you. The downside is you have less control and need to trust the provider.
- Tokenization - Instead of encrypting the data, you replace sensitive values with a meaningless placeholder token. The actual data is stored in a secure database. This can be easier to manage, but may not meet strict compliance requirements.
- On-premises HSMs - You can store keys in on-prem hardware security modules and access them remotely from cloud applications. This gives you full control, but adds latency and requires dedicated hardware.
Explore further
- CIS Controls v7.1 - For a more prescriptive take on key management, see Control 14.8
- NIST 800-57 - Deep dive into key management best practices from the National Institute of Standards and Technology
- AWS Customer managed CMK - How customers can manage their own keys in AWS KMS
- Azure Key Vault - Microsoft's solution for securely storing and accessing encryption keys
- GCP Cloud KMS - Google's key management service for generating and managing encryption keys
