Ever since we’ve introduced our key management system to the cloud, I’ve wandered around the web and talked to our accounts, trying to get a better understanding of customers’ encryption needs, and more importantly, current vendors approach to cloud security, key management and encryption keys in cloud.
What I’ve quickly realized, is that although companies are moving to the cloud for the obvious reasons of elasticity, cost effectiveness, and scalability, they have assumed cloud security technologies, specifically around encryption and cloud key management stayed behind. As a result, companies in need for a cloud security and a key management solution faced the option of using a complicated, partial, non-scalable solution, or in many cases simply decided to keep sensitive data away from the cloud…
Encryption keys in cloud: alternatives used today
Cloud customers have two major options with regards to cloud encryption and cloud key management today: a) Implement the best practices provided by the cloud provider (whitepaper approach), or b) using a third party software solution. Both alternatives have pluses and minuses, but most importantly – both approaches do not provide a viable alternative to encryption key management. Here’s the dilemma: A cloud user would not wish to store his encryption keys in cloud as it would become vulnerable to the same attacks as the data, but at the same time he would want those encryption keys in cloud next to the project’s Application and Database Servers where they are needed. Current solutions bypass this dilemma by providing one of two options:
1. Installing a key management server in the customer’s (physical) datacenter (In other words, while you have chosen the cloud for its’ many advantages, you need to GET BACK IN YOUR PHYSICAL DATACENTER to maintain the encryption keys secured)
2. Use (yet another) SaaS solution to manage your keys away from your cloud provider of choice
In all honesty, those were the only two viable options for as long as key management technologies did not evolve to support the cloud.
Breaking the key management paradigm – The Porticor™ approach
Pretty early in our thinking process, we’ve realized that in order to provide a true cloud-enabled key management system, we will need to break the existing key management paradigm by providing a new mechanism that will allow cloud-customers to manage their encryption keys fully in the cloud (NO servers installed in a physical datacenter, and NO third party SaaS key management), while NOT compromising the security and privacy of the encryption keys. In order to do so we have developed a new patented approach which we often allude to as the “Swiss Banker” approach: Porticor™ breaks the cryptographic keys into two parts using sophisticated mathematics algorithms. One part is stored in our virtual key management appliance (a virtual server hosted in AWS) in an encrypted form which prevents Porticor, or anyone else for that matter, from reading the end users’ keys, and the second part which consists of a Master Key – a strong key available only to the end user, and the second half of the encryption key. This unique approach enables customers for the first time to deploy security “the cloud way” while maintaining their encryption keys in cloud – yet completely secured.
Wrap up comments
1. While the scope of the article is not technical, you can read a more in-depth description of our key management solution here, or download the Porticor key encryption whitepaper here.
2. While not part of the article, Porticor™ does provide a full data level encryption solution. Read more about it here.
[...] you’ve done what it takes to keep them safe. But, as I’ve written in my previous blog post (Breaking the cloud encryption and key management paradigm), when it comes to security in the cloud, specifically around cloud encryption and key management [...]