Cloud encryption: control your own keys in a separate storage vault

Much has been written about encrypting data in the cloud, but several challenges persist. Who controls or has access to the keys, and where are the keys stored? KeyNexus, a division of Dark Matter Labs, addresses those challenges with an independent key management solution that separates the lock from the keys and gives the keys solely to the data owner.

Any time a company decides it wants to host its applications in the cloud, or use a SaaS application where the company’s data will be stored in the cloud, the IT security professionals have to ask a series of questions. Can we encrypt the data? If so, who will have access to the keys? How will we perform key rotation? Can we sort and search on data that is encrypted? Is the cloud vendor using a proprietary encryption technology that prevents us from moving our data to another vendor? If we use 10 SaaS applications, will we have to manage 10 different sets of encryption keys?

These questions are tough enough to answer when the data and encryption technologies are in a company’s own data center where it has complete control over everything. Things get much more complicated when the company has to factor in third party hosts like Amazon and Rackspace or SaaS providers like Google Apps, Workday and Salesforce.

The state of cloud encryption today is still very muddled. Some vendors provide it and some don’t. Sometimes encryption has to be bolted on and it isn’t a well integrated process. Some encryption schemes are proprietary to a specific vendor.

In many cases, if encryption is provided, the cloud provider holds or has access to the keys, which creates another set of problems for the end user. For one thing, a third party having access to data in the clear is a violation of regulations such as PCI-DSS, HIPAA, GLBA and others. Also, customers have lost trust in cloud platform or SaaS providers to protect their data. There have been high profile data breaches that make end users nervous. What’s more, customers fear the U.S. government will subpoena access to their data without their knowledge or permission. For companies outside the U.S. that choose to use a U.S.-hosted cloud or app, there are data privacy and residency concerns.

It all boils down to this: when encrypted data is stored or processed in the cloud, the lock and the keys must be kept separate and only the end user should control the keys.

In early September, encryption appliance maker Dark Matter Labs announced a new division called KeyNexus  that takes aim at all of these cloud key management issues. (See Service lets companies manage Amazon Web Services encryption keys.)

KeyNexus is a secure cloud service for encryption key management. It is designed to be used with encryption technology that secures data in cloud-based, SaaS, enterprise or mobile applications. The technology that underpins KeyNexus is Dark Matter Labs’ enterprise-grade encryption appliances. With this solution, companies can employ encryption in their cloud or enterprise environments while maintaining secure, off site storage of their encryption keys, effectively separating the lock from the key.

Here’s the 30,000 feet overview of how it works.

KeyNexus is an independent platform where a company can create an account, create their keys and have the keys stored there securely. No one else has access to those keys. In order to consume those keys, the company needs to pull them down wherever they happen to be doing business.

Now let’s say the company has encryption software on a specific platform (cloud, enterprise, mobile, etc.). In the moment when the encryption software is about to encrypt something, it reaches out to KeyNexus and gets a key. The key is on a separate platform from the application and data, and only the company has access to its keys.

The initial offering of the KeyNexus solution is an integration between KeyNexus and Amazon Web Services (AWS). KeyNexus for AWS will allow AWS users to select from several Linux varieties of KeyNexus Amazon Machine Instance (AMI).  KeyNexus is launching with Amazon Linux with more versions of Linux to follow soon, and they will be available for free on the AWS Marketplace. These AMIs will encrypt all data stored on the customer’s Elastic Block Storage (EBS) partitions while the encryption keys are securely stored on KeyNexus. According to Jeff MacMillan, founder and CEO of Dark Matter Labs, here’s how it works:

• After a brief one-time setup, when launched, the KeyNexus AMI will securely connect with KeyNexus and provision the customer’s encryption key of choice.

• The key will be used for a moment to mount an encrypted EBS partition.

• The key will then be purged from the AWS environment to ensure it is never stored or written to disk.

• All data written into the customer’s EBS partitions is now encrypted with AES 256-bit encryption.

• Multiple AWS security protocols are implemented throughout this process including EC2 IAM instance roles, described instances and instance identity documents.

The process of activating multiple AMIs can be fully automated and is fully compatible with Big Data implementations such as Hadoop operated in AWS EC2. Most importantly, the customer’s keys are safe, belong to the customer, and are never stored on AWS.

KeyNexus for AWS was the first phase of the KeyNexus roadmap and there’s more to come, says MacMillan. Here’s a peek at what’s in the works for the future.

• KeyNexus plans to go deeper into Amazon, connecting to products like Redshift and S3, which have some level of built-in encryption. Customers will be able to use the encryption Amazon provides without having the keys stored with Amazon.

• KeyNexus will be integrating with different development languages so that, for example, customers who might be coding on Amazon in Java can use the Java crypto engine to perform encryption at the application level because it is more granular. Through integration with KeyNexus, the keys will no longer be sitting in Java on Amazon; rather, they are sitting in KeyNexus and they are only pulled down when they are needed.

The KeyNexus focus is on securing the keys rather than on performing the encryption. In this way, KeyNexus can support any number of encryption schemes embedded in different platforms or applications. In fact, KeyNexus aims to partner with established encryption vendors who are looking to provide the benefit of this additional level of security and compliance to their customers.

KeyNexus stores customers’ keys on hardware security modules that are like physical vaults. The technology has an API set and a RESTful interface that can be accessed from any technology. KeyNexus plans to engage with the developer community by exposing the APIs and allowing them to plug KeyNexus’ integration into any platform that they choose. That could be SaaS applications, mobile apps, or whatever customers are asking for.

In the end, the benefits of using KeyNexus are this. The customer company controls its own keys, and these keys never reside in the same place as the encrypted data. This satisfies compliance requirements and eliminates the worry that an outsider – including the U.S. government – can get its hands on data that can be readily decrypted. In time, this one set of keys on the KeyNexus platform can be used for multiple SaaS or cloud apps that the customer has encryption on, which saves time and money by consolidating keys on one solution.

Linda Musthaler (LMusthaler@essential-iws.com) is a Principal Analyst with Essential Solutions Corp. which researches the practical value of information technology and how it can make individual workers and entire organizations more productive.  Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.  

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.