Many infrastructure-, platform-, and software as a service providers offer data at rest encryption capabilities with encryption keys managed by the service provider. Meanwhile, many industry or internal data protection mandates, as well as industry best practices as defined by the Cloud Security Alliance, require that keys be stored and managed remote from the cloud service provider and the associated encryption operations. Providers can fulfil these requirements by offering “Bring Your Own Key” (BYOK) services to enable customer control of the keys used to encrypt their data. Customer key control allows for the separation, creation, ownership and control, including revocation, of encryption keys or tenant secrets used to create them. Leveraging cloud provider BYOK API’s, the Thales Key Management as a Service (KMaaS) reduces key management complexity and operational costs by giving customers lifecycle control of encryption keys with centralised management and visibility. The solution can be deployed almost instantly using KMaaS.
The requirement to protect sensitive data across Infrastructure-, Platform-, and Software as a Service (IaaS, PaaS, and SaaS) has resulted in broader cloud provider encryption offerings.
Meanwhile the Cloud Security Alliance and industry analysts state that encryption keys should be held by customers. The challenges of holding keys grow with up to hundreds of master keys per subscription to be secured and managed across multiple clouds. There is also the imperative of knowing how, when, and by whom encryption keys are used. The Thales Key Management as a Service, using CipherTrust Cloud Key Manager provides comprehensive key lifecycle management to fulfil requirements for safe, comprehensive key management across multiple clouds. Supported clouds include:
- Microsoft Azure
- Amazon Web Services
- Azure Stack
- Microsoft Office365