How can I put my sensitive data in the public cloud and stay secure?
One of the biggest barriers to adoption of cloud is concern about security of sensitive data. Cryptography has a central role to play is controlling the risks, but setting and enforcing a cloud cryptography policy is not easy, in particular for regulated enterprises.
There are many choices to make about when to use CSP-native cryptography services, when to use third party cloud cryptography, and when to leave data on premise. Once policy has been set, continuous visibility is needed into how workloads are protecting their data and managing their keys as applications evolve over time.
Many people are concerned that their encryption keys stored in cloud services such as AWS KMS, Azure Keyvault, or GCP KMS, are not really secure. This can be a particular concern for people working in highly regulated industries.
So how can you know if your keys are secure?
To compare the cloud KMS offerings of the 'big 3' CSPs: AWS, Microsoft Azure and Google Cloud; we made this handy infographic.
All the major cloud service providers (CSPs) now offer cryptography services. This whitepaper will explain why many businesses are adopting cloud crypto services as they migrate their applications to the public cloud. We will look at what these services do, how to choose a cloud crypto service, and how to migrate an application securely.
We will focus on cryptographic services available from the three largest CSPs (Amazon Web Services, Google Cloud Platform, Microsoft Azure) including their cloud key management services (KMS) and their cloud hardware security modules (HSMs). Lock-in to a single provider is considered unwise by many organizations, so we will also look at the portability of applications designed to use these services.
Finally, we will describe how to understand the cryptographic needs of an application, and how to carry out the migration. We will consider how to monitor the security of a sensitive application that is using cloud cryptography services.