Cloud Key Management

For virtually every organisation today, the adoption of multiple cloud services continues to expand. A growing number of organisations are aware of the Shared Responsibility Model for cloud security, with its definitive statement across all cloud consumption models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), cloud consumers are responsible for the security of their data stored and used in the cloud. In every yearly edition of the Thales Data Threat Report, organisations say that encryption is the right way to protect data in the cloud.

Cloud Providers increasingly offer their own encryption services as a convenience to their customers. But, the imperative for customer management of encryption keys for cloud provider encryption keys is growing as fast as cloud consumption. A growing number of cloud providers offer “Bring Your Own Key” (BYOK) services. BYOK enables customer-controlled cloud key management. The challenge of BYOK and cloud key management depends on the number of clouds and keys to be managed or brought to the cloud.

Cloud key management may be considered in various ways:

  • Logging into each cloud console and managing cloud keys created by the cloud provider
  • Finding a source to generate keys and then using cloud provider CLI commands to download wrapping keys and upload wrapped keys


Micro-segmentation involves creating zones within the network to isolate and secure elements of the network that could contain sensitive information or provide access to malicious actors. A zero-trust security approach benefits from micro-segmentation because once the secured area has been micro-segmented, it’s protected from threats. The firewall or filter that forms a barrier around the zone can also block threats from exiting the zone, which protects the rest of the network.

Container Security

A Full Lifecycle Container Security Solution scans for vulnerabilities during the entire CI/CD pipeline, from Build to Ship to Run. Use the Jenkins plug-in to scan during build, monitor images in registries and run automated tests for security compliance. Prevent deployment of vulnerable images with admission control, but also monitor production containers. Blazing fast, highly scalable image vulnerability analysis scans thousands or hundreds of thousands of images.

Full-Lifecycle Security Diagram

  • Scanning and admission control during build, test and deployment
  • Scans containers, hosts, and orchestration platforms during run-time
  • Audits host and container security with Docker Bench and Kubernetes CIS Benchmark for security tests

Cloud Security Posture Management (CSPM)

Cloud security posture management (CSPM) is a key component of cloud data security that scours cloud environments and alerts staff to compliance risks and configuration vulnerabilities in cloud services, most of which stem from human error. In its Innovation Insight for Cloud Security Posture Management report, analyst firm Gartner defined CSPM as a category of products that automate security and compliance assurance and address the need for proper control over cloud infrastructure configurations. In 2020, according to Gartner, the adoption of CSPM solutions was strong, projected to reach 25% in just a few years as more organizations recognize them as must-have cloud security tools.

Broadly speaking, CSPM protects you in three ways:

1. Provides visibility into your cloud assets and configurations. Enterprise CSPM discovers misconfigurations, changes in policy or metadata, and more, and helps you manage all these policies through a centralized console.
2. Manages and remediates misconfigurations. By comparing your cloud configurations against industry standards and other pre-built rules, CSPM reduces human error that can increase your risk of costly breaches.
3. Discovers new potential threats. CSPM monitors your cloud environments in real time for inappropriate access and anomalies that may indicate malicious activity.

Cloud Workload Protection (CWP)

In the security world, everyone is familiar with the concepts of cyber threat protection and data protection. Whether these protections are delivered from a cloud security platform or they’re handled by appliances in a data center or regional gateway, they essentially prevent bad things from coming into the network and stop sensitive data from leaking out. Workload protection is a different sort of security control that has to do with securing the communications that occur between applications, such as ERP software in one cloud that communicates with a database in another, a line-of-business app that communicates with financial software and collaboration tools, a project management application that exchanges data with CAD software—the possibilities are endless.

Application and Secret Management

A cybersecurity best practice for digital businesses, secrets management allows organizations to consistently enforce security policies for non-human identities. Secrets management provides assurance that resources across tool stacks, platforms and cloud environments can only be accessed by authenticated and authorized entities.

The following steps are typically included in a secrets management initiative. Many of these approaches and techniques are also used to protect privileged access by human users.

  • Authenticate all access requests that use non-human credentials.
  • Enforce the principle of least privilege.
  • Enforce role-based access control (RBAC) and regularly rotate secrets and credentials.
  • Automate management of secrets and apply consistent access policies.
  • Track all access and maintain a comprehensive audit.
  • Remove secrets from code, configuration files and other unprotected areas.