The National Cyber Security Centre (NCSC) has recently updated its cloud security guidance, which now features a thorough section on configuring and utilizing a Key Management Service (KMS) for secure key management in the cloud. This guidance outlines essential practices such as data encryption at rest and sets expectations for key management services.
During the drafting of this guidance, we encountered several prevalent myths surrounding key management in cloud environments. This article aims to debunk these myths and to elucidate how a KMS can enhance the security of your cloud-stored data.
Myth 1: ‘You can avoid trusting a KMS’
Even if you are not directly utilizing a KMS, it is highly likely that the broader cloud service relies on it. Trust in the cloud also necessitates trust in the KMS. Therefore, you should ensure that the KMS satisfies your security requirements before employing the service. Once you feel secure with the cloud service, it is equally important to trust the KMS!
Myth 2: ‘It’s better to generate and use your own keys than to rely on a KMS’
Many Key Management Services offer modes such as Bring Your Own Key (BYOK) or Hold Your Own Key (HYOK), where customers may choose to utilize their own encryption keys instead of those generated by the KMS. Some organizations opt for HYOK or BYOK due to regulatory requirements or personal distrust of the cloud service’s key generation practices.
However, you inherently depend on the KMS for the secure generation and protection of keys that form the foundation of the cloud service. You must trust that the KMS adequately safeguards data encryption keys, regardless of how key encryption keys are handled. Furthermore, generating keys externally and importing them to the KMS creates additional risks for potential loss or theft. Thus, it is advisable to avoid HYOK or BYOK wherever possible.
Myth 3: ‘You should have direct control over every use of the KMS’
This discussion ties into an essential component of the shared responsibility model, which involves delegating key management responsibilities to your cloud provider. The subsequent step involves entrusting the integration of the KMS to your cloud provider. Most cloud services that benefit from efficient key management, such as blob storage, can seamlessly integrate with the KMS. This option should be utilized, as it promotes consistent key management and facilitates the detection of unusual activities by your cloud provider. In some scenarios, you may even delegate entire use cases to a managed service built on top of the KMS, instead of interacting with the KMS directly.
Myth 4: ‘There are no security advantages to using a KMS’
When deliberating over a cloud KMS, customers often assess the functionalities it offers in comparison to their current key management approach. This focus frequently leads to the neglect of the unique advantages that a KMS provides. One significant security benefit of adopting a cloud KMS is the precise access control it offers. Access to specific keys within a KMS is managed by the cloud service’s access control mechanisms, typically employing role-based access control (RBAC). This determines not only whether you can access a key but also what operations you can perform with it. For instance, a log collector may have permission to encrypt plaintext logs but not to decrypt logs that are already stored.
This level of granularity affords much stronger data protection capabilities. For example, it enables personnel to maintain full administrative rights over databases and storage systems while restricting their access to the keys necessary for decrypting the data contained within those systems. Additionally, as access controls are implemented within the KMS, there is no direct access to the key, mitigating the risk of accidental key loss.
Making the Most of Cloud Key Management
Effective data encryption can be compromised by inadequate key management. Therefore, when depending on encryption to safeguard your data, it is crucial to ensure robust key management practices are in place. Achieving success in this area is complex, as key management is a multifaceted subject. Consequently, utilizing a cloud KMS is designed to simplify your processes while enhancing the security of your stored data in the cloud.
For similar reasons that you should avoid developing your encryption algorithm, constructing your own KMS is also inadvisable. Furthermore, a well-formed cloud service can deliver security benefits that are challenging to realize in conventional deployments. Thus, it is wise to leverage the KMS provided by your cloud provider, configure it according to our guidance, and benefit from its additional security features.
Jamie H
Senior Security Researcher
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/mythbusting-cloud-key-management-services
