I know that I have a really hard time managing all of the keys that I use to login to this service or that service. Google and Amazon are offering key management services as a part of their cloud, but not all give access to all of their keys to third-party service providers.
Having the ability to bring your own keys to the cloud is a very important cloud security feature that businesses need. I am in love with Amazon Web Services who added this capability to its Key Management Service (KMS).
Jeff Barr, AWS Chief Evangelist, wrote in a blog post:
"Customers tell us that local control over the generation and storage of keys would help them meet their security and compliance requirements in order to run their most sensitive workloads in the cloud. In order to support this important use case, I am happy to announce that you can now bring your own keys to KMS."
I see more and more companies moving sensitive applications to different public cloud environments. The key management is a vital priority to these companies. Services such as KMS give organizations the ability to manage the lifecycle of their keys, including creating, rotating, and revoking them, via a centralized application.
A lot of organizations require control over their cryptographic keys, which rules out managed services that handle the keys for you. At the same time, these organizations want to take advantage of the scalability, access, and hardware offered by a fully managed service provider.
Amazon Web Service’s KMS gives enterprises control over all their encryption keys, so it’s easy to encrypt data stored in S3, EBS, RDS, Redshift, and other integrated AWS products.
This new feature lets customers import keys from any key management and Hardware Security Module (HSM) solution that supports the RSA PKCS #1 standard and use them with other AWS items and internal applications.
I strongly believe that putting AWS customer’s in control of their cryptographic keys and certificates is a fundamental element in cloud security. They are able to decide what keys and certificates will be used in the cloud, as well as for important network and security tools like load balancers, web application firewalls, and next-generation firewalls.
Google Has Their Own Way
Google takes a slightly different approach from AWS for customers interested in creating their own encryption key for Google Compute Engine.
Google Compute Engine automatically encrypts all data at rest. the users provide a Customer-Supplied Encryption Key (CSEK) to protect the Google-generated keys employed for data encryption. This method lets customers control data encryption in the cloud via an internally generated key.
Since Google doesn’t store CSEKs on its servers, a customer who loses the key will lose access to the data. Creating a CSEK requires the gcloud command-line tool, and the enterprise must provide a 256-bit string key encoded in base 64.