For virtually every organisation today, the adoption of multiple cloud services continues to expand. A growing number of organisations are aware of the Shared Responsibility Model for cloud security, with its definitive statement across all cloud consumption models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), cloud consumers are responsible for the security of their data stored and used in the cloud. In every yearly edition of the Thales Data Threat Report, organisations say that encryption is the right way to protect data in the cloud.
Cloud Providers increasingly offer their own encryption services as a convenience to their customers. But, the imperative for customer management of encryption keys for cloud provider encryption keys is growing as fast as cloud consumption. A growing number of cloud providers offer “Bring Your Own Key” (BYOK) services. BYOK enables customer-controlled cloud key management. The challenge of BYOK and cloud key management depends on the number of clouds and keys to be managed or brought to the cloud.
Cloud key management may be considered in various ways:
- Logging into each cloud console and managing cloud keys created by the cloud provider
- Finding a source to generate keys and then using cloud provider CLI commands to download wrapping keys and upload wrapped keys
