The NCSC’s updated cloud security guidance introduces an important section on configuring and utilizing a Key Management Service (KMS) for secure key management in the cloud. This section outlines how data should be encrypted at rest and the expectations one should have from a KMS.
During the preparation of this guidance, we uncovered several prevalent myths regarding key management in the cloud. This blog delves into some of these misconceptions and clarifies how a KMS can effectively secure the data you store in the cloud.
Myth 1: ‘Trusting a KMS is unnecessary’
Whether you directly utilize a KMS or not, the underlying cloud service likely relies on it. Therefore, it’s essential to trust the KMS in order to trust the cloud service itself. Ensuring the KMS meets your security standards is crucial before engaging with the service. Once you’re confident with the cloud service, you should similarly trust its KMS!
Myth 2: ‘Creating your own keys is always better than using a KMS’
Many KMSs offer options like bringing your own encryption key (BYOK) or holding your own key (HYOK), rather than relying solely on keys generated by the KMS. Some customers may choose these options due to regulatory requirements, while others may lack trust in the cloud service’s key generation.
However, you inherently depend on the KMS to generate and safeguard keys for the cloud service. It’s vital to trust that the KMS manages data encryption keys securely, regardless of how the encryption keys are created or protected. Additionally, generating keys externally can increase the risk of loss or theft. Hence, it is advisable to avoid HYOK or BYOK unless absolutely necessary.
Myth 3: ‘Direct control over KMS usage is essential’
This discussion ties closely to a key aspect of the shared responsibility model—delegating key management tasks to your cloud provider. A further step is allowing your cloud provider to handle KMS integration. Many cloud services that benefit from effective key management can connect seamlessly to the KMS. Utilizing this integration simplifies key management and enables your provider to detect unusual activities more effectively. In some cases, you can even delegate entire use cases to managed services utilizing the KMS rather than interacting with it directly.
Myth 4: ‘A KMS doesn’t offer security benefits’
When evaluating a cloud KMS, customers typically assess whether it can replicate the functionality of their existing key management methods, often overlooking the distinct advantages it offers. A key security benefit of utilizing a cloud KMS is its advanced access control granularity. With a KMS, your access rights for specific keys are governed by the cloud service’s access control policies, usually involving role-based access control (RBAC). This controls whether you can access a key and what actions you can perform with it. For instance, a log collector may be granted permission to encrypt logs but not to decrypt previously stored logs.
This precise control enhances your data protection significantly. It allows personnel to manage databases and storage systems without granting them access to the encryption keys, thus reducing the risk of accidental key loss.
Optimizing Cloud Key Management
Effective data encryption can be compromised by inadequate key management. When relying on encryption for data security, it’s critical to ensure strong key management practices. Achieving this can be challenging, as key management is intricate and nuanced. A cloud KMS can simplify this process while enhancing the security of your stored data.
Just as you wouldn’t create your own encryption algorithm, you shouldn’t attempt to build your own KMS. In addition, a reliable cloud service can provide security advantages that are often difficult to realize in traditional setups. Thus, leverage the KMS provided by your cloud vendor, follow the established guidance for configuration, and harness the added security features it offers.
Jamie H
Senior Security Researcher
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/mythbusting-cloud-key-management-services
