So let's talk about key Management will start by looking at primary considerations for key management, describing the options for handling keys and then review the provider verse. Consumer Managed Keys Conundrum.
Strong key management is a critical component of encryption. Think about it. If you lose your encryption keys, you lose access to decrypt the data that has been encrypted with those keys. On the other hand, if a bad actor has access to those keys, they can decrypt the data.
The C S. A guidance outlined primary considerations for key management as performance accessibility. Layton see insecurity
to phrase it otherwise, Can you get the right key to the right place at the right time, while also making sure nobody that should not have access to the key can get access to that? Key
hardware security modules have been around for some time. It's a dedicated, specific device and software that's tuned to manage the secure storage of keys and delivery of keys, often following the Phipps 1 42 standard of security.
A few different deployment models that you can go out. One is the on premise model.
This is where the HSM itself resides on premise and you have a secure link between you and the cloud provider, and the on premise device is delivering the keys over that link. Keep in mind the keys are usually pretty small in size, so this doesn't need to be a high bandwidth blink. However, you do want to make sure there is very low latency,
so the keys can be provided to your cloud. Resource is in a very timely manner.
At the same time, many cloud providers offer to manage an HSM device for yourself, so you lose physical access and control over it sits in their data center. But they will take care of the hardware for you. Sometimes they will have to use your own provided hardware and HSM,
or the provider will offer you a dedicated device that they themselves purchased and put on their network.
But they're going to use it just to manage your keys and perform your encryption things. Thes approaches aren't particularly cheap, so it's very important that you have the capital and security concern that requires you go to this extent.
A key management system does not need to be hardware based. You could deploy a virtual appliance or a software based key manager in a cloud environment to maintain keys within a providers environment that reduces the potential Layton sea or disruption. If that's secure link between your on premise and the cloud provider were to break
in such a deployment model. You still own the encryption keys, and they cannot be used by the provider if legal authorities demand access to your data
and then we have the cloud provider service model this key management services offered by the cloud provider before selecting this option, make sure you understand the security model and the service level agreements to determine whether your key could be possibly exposed. You also need to understand that although this is the most convenient option for key management in a cloud environment,
the provider does have access to the keys,
and they can be forced by legal authorities to hand over the data upon request. At the bottom, I have some icons from the major cloud providers as your key vault, Amazon Kms Key Management Service and Google's Key Management Service, and we were talking about the physical HSM devices.
These cloud providers allow you to have these key management services in a few different options somewhere
purely software based. Whereas certain cloud providers give you the option to have the underlying keys stored and backed by an actual HSM device that they're managing and then in other circumstances they will even give you a dedicated HSM.
And finally, there's a hybrid approach where you could be using a combination, such as an HSM toe host the route trust for all the keys. But then you deliver application specific keys to a virtual appliance that itself is located in the cloud, and that virtual appliance managed the keys on Lee for a particular context.
Has she? Core Vault is a software application that could be used for key management. The enterprise version of this product allows you to set up your application so I root. Encryption Key is pulled from a separate HSM on boot up,
and then that key has subsequently managed in memory.
This is a great example of the hybrid approach. As a side note, Vault can do a lot more than just store keys and other secrets. I have a completely separate Sai Buri course where we go deep into the capabilities of Hash Corp fault.
Some providers build encryption into their platform by default that typically manage keys for you. This happens when you click the check box to encrypt and S three bucket and Amazon or the encryption when you're using something like Box or Dropbox. Since the provider is holding the keys,
they implement separation of duties in their internal operations and procedures.
This means getting access to the keys would require collusion amongst multiple provider employees. Of course, if a legal authority requires the provider decrypt the data, they will be obliged to overrule these separations of duties and perform that activity. Customers should determine whether they can replace default provider keys with their own keys
and use those keys toe work with the providers encryption engine.
Some providers allow you to manage your own keys. The CSE refers to this as customer managed keys. Bring your own key will work differently on different providers and services with varying levels of relative security.
The ultimate decision will come down to your risk and threat models. Once you know the risk you are trying to prevent, you can evaluate the technical options in your provider
and platform of choice. Remember, not all data needs the same level of security. She don't always need to default to the most secure option.
Let's summarize the spectrum of key management options we've discussed, starting with the scenario where the customer has the most control. This is the on premise HSM. From there we have customer managed virtual appliances, which themselves run in the cloud, but their software based.
Then we have provider managed, dedicated HS, EMS or even shared HS EMS.
From there, you have a provider key management service or server, such as the is their key vault are the Amazons Key Management Service. And finally, we have
provider managed keys where you as a customer really don't get to see the keys much the provider creates them, manages them, stores them and deals with retrieving them.
In this video, it was all about key management. We talked about considerations at a high simplistic level. We reviewed different options for handling the keys, and then we compared and contrasted the tradeoffs. When you have provider manage keys versus customer manage keys