Cryptographic operations enable secure communication, access control, authentication, and data encryption at rest. The security of these operations all rely on proper key management. Cloud service providers (CSPs) use key management systems (KMSs) to offer encryption and key management as a service, including functionality such as:
- Management operations on symmetric and asymmetric keys, including:
- creation
- storage
- rotation
- deletion
- Secrets management for:
- application programming interface (API) keys
- data encryption keys
- other service secrets
Some CSPs offer subsets of this key management functionality in multiple service offerings. For the purposes of this cybersecurity information sheet (CSI), the term “cloud KMS” refers to any cloud services that perform any of this functionality.
A cloud KMS integrates with other cloud services to give customers some control over the keys used for cryptographic operations within the cloud tenant. Customers can opt to have CSPs manage some or all features of the KMS. [1] Best practices for a cloud KMS will depend on the boundaries of control over key management desired for each specific use case.
- Granting a CSP control over key management inevitably carries some risk. The acceptability of such risks depends on several factors including:
- the sensitivity level of the data to be protected
- resources available to manage keys on premises
- level of trust established with the CSP
Views: 9
