Cloud Technology

How do I manage encryption keys effectively across a multi-cloud environment?

A Asked by Amanda Lewis · 05-11-2023
0 upvotes 5,730 views 0 comments
The question

We are currently storing sensitive customer PII across both Google Cloud Platform and AWS. I'm struggling with the management of encryption keys. Should we use the native Key Management Services (KMS) provided by each vendor, or is it a better security practice to use a centralized third-party hardware security module (HSM) to maintain full control over our "Bring Your Own Key" (BYOK) strategy?

3 answers

0
ME
Answered on 06-11-2023

Managing keys in a multi-cloud setup is complex. Native KMS like AWS KMS or Google Cloud KMS are incredibly convenient and integrate seamlessly with their respective services, but they can lead to "vendor lock-in." If compliance is your main driver (like HIPAA or GDPR), a centralized HSM or a "Cloud-Agnostic" key manager might be better. This allows you to rotate keys and manage policies from a single pane of glass. However, be aware that BYOK strategies often increase operational overhead and can sometimes limit the native auto-scaling features of certain cloud-native databases. 

0
MA
Answered on 07-11-2023

Native KMS is easy, but if you go with a third-party HSM, what happens during a network outage between your HSM provider and the cloud region where your data is stored? Have you looked into the latency issues that might occur during real-time decryption?

TH 08-11-2023

Latency is a huge concern for high-traffic apps. Most enterprises solve this by using the "Hold Your Own Key" (HYOK) model only for the most sensitive data, while using native KMS with imported key material for standard workloads to maintain performance.

0
BA
Answered on 09-11-2023

For most companies, native KMS with strong IAM policies is sufficient. It is much easier to manage and less prone to human error than a custom HSM setup. 

AM 10-11-2023

I agree. The risk of losing your own keys in a self-managed HSM is often higher than the risk of a cloud provider's KMS being compromised.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session