How to choose a cloud key management service
Amazon, Microsoft, Google, Oracle and cloud-agnostic vendors offer cloud key management services. Read up on what each offers and how to choose the right KMS for your company.
Encryption is a functional requirement for a significant number of cloud deployments to keep sensitive data out of the hands of malicious actors. Key management has historically been a cumbersome headache to set up and manage, but this has changed dramatically in the cloud.
Cloud key management involves a service hosted in the cloud where keys are managed and maintained. Known as key management services (KMS), these provide centralized, secure control over the encryption keys that protect sensitive data across cloud environments.
KMS offerings ensure cryptographic keys are generated, stored, rotated and retired according to best practices and regulatory requirements -- all while enabling secure encryption, decryption and access control processes. These services also support critical functions such as auditability, disaster recovery and integration with cloud-native services, ultimately strengthening an organization's overall security posture.
Choosing the best KMS for your organization requires an understanding of each cloud service provider's (CSP) approach, capabilities and interoperability. Many organizations use the KMS features and capabilities within their respective CSP rather than handling keys themselves.
Let's explore some leading KMS CSP options and how to choose the right one for your organization.
CSP key management in the cloud options
Each leading CSP -- AWS, Azure, Google Cloud and Oracle -- has its own KMS available.
AWS Key Management Service
AWS KMS offers seamless integration with AWS services -- including S3, Elastic Block Store, Relational Database Service and Lambda. It has a variety of key management options, including customer-managed keys and AWS-managed keys, as well as external keys via other key stores, such as AWS CloudHSM (hardware security module) or External Key Store.
AWS KMS offers yearly automatic key rotation and granular identity and access management (IAM) policies for key usage, multi-region key replication for high availability and global apps, and FIPS 140-2 validated endpoints for compliance needs.
Azure Key Vault
Azure Key Vault can easily manage both keys and secrets -- such as certificates and passwords -- in one service. It integrates with Azure managed identities for secure, passwordless access and supports bring your own key (BYOK) and hold your own key (HYOK) models. BYOK is for key import directly into the cloud; HYOK is for keys stored elsewhere being used in cloud services through APIs.
Key Vault also offers HSM options with Key Vault Managed HSM, which offers a fully isolated, standards-compliant HSM pool, and HSM-backed keys available with Key Vault Premium. Other capabilities include soft delete and purge protection to guard against accidental or malicious deletion.
Google Cloud Key Management Service
Google Cloud KMS supports symmetric and asymmetric key cryptography, with automatic rotation or scheduled rotation for keys and IAM fine-grained permissions for key access.
Stronger key management capabilities include integration with Cloud HSM for hardware-backed key storage; Cloud External Key Manager for integration of customer-controlled keys outside of Google infrastructure; and a key ring organization feature to group keys by application, environment or team.
Oracle Cloud Infrastructure Vault
OCI Vault supports both software-protected keys and HSM-protected keys, as well as key versioning and automatic key rotation features. It also offers full integration with Oracle Database, Autonomous Database and Object Storage services.
Vault also supports BYOK from on-premises HSMs and key export capabilities, with highly granular audit logs for all key access and management actions.
Other KMS products
Some CSP-agnostic key management options available include the following:
- HashiCorp Vault. While not cloud-native, HashiCorp Vault is cloud-agnostic and can run in any environment. This service offers dynamic secrets -- for example, database credentials on demand, an encryption-as-a-service API for applications to encrypt and decrypt without storing keys, and strong access control policies using access control lists and identity-based access. HashiCorp also has a variety of plugins for different cloud services and applications, making integration somewhat easier.
- Thales CipherTrust Cloud Key Management. Thales offers a cloud-agnostic service that supports centralized key management across AWS, Azure, Google, Salesforce and other platforms. It supports widespread HSM integration, BYOK and HYOK, key rotation and deletion controls, and in-depth audit trails and compliance reporting.
How to choose a cloud KMS
When selecting a cloud KMS, start by evaluating the organization's specific security, compliance and operational requirements. These requirements can include data residency laws; industry regulations, such as HIPAA, GDPR and PCI DSS; and encryption needs, such as symmetric versus asymmetric.
Assess the service's ability to integrate with existing cloud platforms, applications and DevOps workflows, while considering support for features such as BYOK, external key management, automatic rotation and granular access controls.
Weigh factors such as performance, auditability, service-level agreements, pricing and whether the service offers HSM options for enhanced protection.
Ensure the decision aligns with the organization's broader cloud strategy, favoring services that simplify multi-cloud or hybrid-cloud management if needed. Be sure to involve collaboration between security, compliance, IT and application teams.
For any of KMS, the most important considerations include the scope and scale of where key management needs to take place, as well as integration options and cost for operation. In general, if the organization is only using one major CSP, it's better off going with its KMS if it meets the organization's cost and compliance requirements. Organizations with multiple clouds, or that have more complex API and integration needs across a hybrid environment, might instead want to look at third-party options.
Dave Shackleford is founder and principal consultant at Voodoo Security, as well as a SANS analyst, instructor and course author, and GIAC technical director.
