The Cloud Security Alliance published recommendations to organizations using a customer controlled key store (CCKS). (Air Force)

The Cloud Security Alliance (CSA) on Tuesday published recommendations to organizations that opt to use a customer controlled key store (CCKS) in which the key management system (KMS) runs external to a cloud service provider (CSP) despite the KMS being dependent on a cloud service.

“Because a CCKS is still relatively new within cloud computing, there isn’t a deep bench of best practices available,” said Paul Rich, a lead author of the guidelines and co-chair of the CSA's cloud key management working group. “Even so, this pattern is growing in popularity and because of this, we felt it imperative to provide a sound set of guidelines that will help companies taking this path optimize their security and related costs, as well as their operational and business agility.”

Organizations use a key management system (KMS) to manage the lifecycle of the myriad of encryption keys present in their environment — issuing new keys, rotating keys on a schedule, invalidating keys, and controlling access to keys, explained Jack Poller, a senior analyst at the Enterprise Strategy Group. Poller said many standards and regulations require key management systems to use specialized hardware known as a hardware security module (HSM) for all cryptographic operations, including key management.

“The shift to the cloud has complicated encryption and key management,” Poller said. “Connecting your cloud infrastructure to your on-premises KMS can introduce latency and availability that hinders the operation of cloud apps. While the cloud service providers have their own KMS and HSM solutions that are optimized for the speed and scale of the cloud, and support bring-your-own-keys (BYOK), hybrid and multi-cloud organizations end up with multiple silos of KMS. Some KMS solutions can integrate with the cloud KMS to enable the organization to have a unified key management environment.”

Poller said organizations often end up in a “chicken-or-egg” scenario, where their cloud is dependent on their KMS, but their KMS resides outside their cloud.

“The just-published CSA guidelines help organizations understand the benefits, challenges, and tradeoffs of the various KMS deployment scenarios,” Poller said. “Because this comes from CSA, the information and guidance are vendor neutral, and can help any organization balance security, costs, ease of deployment, ease of use, performance, and vendor lock-in.”

Mohit Tiwari, co-founder and CEO at Symmetry Systems, said the recommendations and guidance published by the CSA on using their own CCKS is a very welcome document because key management remains an extremely challenging and high-stakes task at the heart of protecting data-in-transit and in storage. 

Tiwari said in essence, these recommendations offer guidance on how organizations can maintain their own KMS, i.e. their CCKS to abstract-out hard cryptographic protocols and processes and secure their encryption keys. Tiwari said the use of a CCKS offers an alternative to relying on the KMS provided by the CSP — reducing their access to the keys at the heart of encryption. 

“For a lot of regulated and high-risk organizations, they would prefer to maintain least privilege control of these keys and other secrets solely in their control and reduce a CSP's ability to access encrypted data,” Tiwari said. “However, it’s critical to set appropriate expectations. The computing overhead and cost of encrypting data and using KMS remains too high for most organizations to encrypt all data and in itself is not a panacea for data security. So, while it’s useful to rely on your own key management so you don't have to trust Amazon's encryption and at-rest storage services, most customers will still trust cloud services. Unfortunately as we have seen with many organizations, the challenges in securing data have been more basic failures in understanding of where data is within the environment and configuration of access control to prevent access, as opposed to the choice of who manages the encryption keys.”