I recently read a blog post outlining how a customer should evaluate where they should store their encryption keys when encrypting data in the cloud. The post outlines the various options for storing keys and concludes, “Enterprises must assess their risk tolerance and audit requirements before they can select a solution that best meets their encryption key management needs.“
I completely agree with the post. Risk tolerance assessments and adherence to audit standards are essential elements of any quality data security program. I would argue though, that if the customer is following compliance and audit requirements then there is only one place keys should be stored: physically separate from the storage or infrastructure provider and under the direct control of the data owner.
A closer examination of four key compliance guidelines reveals:
1. COBIT : “COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.” For management of encryption keys, COBIT states:
Verify that written procedures/policies exist,.... transporting, storage; recovery; retirement/destruction; theft and frequency of required use. Included with these procedures should be requirements over securing the key and controlling the elevation of the key.... Keys should be maintained on a computer that is not accessible by any programmers or users, such as router controls for logical access and strong physical controls with an air gap in a secured area/room.
The Payment Card Industry guidelines only specify that appropriate procedures should be documented, little guidance is provided for where keys should be stored.
Encryption keys used for encryption of cardholder data must be protected against both disclosure and misuse. All key management processes and procedures for keys used for encryption of cardholder data must be fully documented and implemented.
However, PCI DSS 2.0 states in section 3.6 defers to NIST
3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data.... Note: Numerous industry standards for key management are available from various resources including NIST, which can be found at http://csrc.nist.gov.
3. HIPAA The Health Insurance Portability and Accountability Act in their breach notification rule calls out
“Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies:
1. Electronic PHI has been encrypted as specified in the HIPAA Security ...... To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes identified .... have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.“
4. SOX Sarbanes Oxley adheres to COBIT in section DS 5.7: “
Accepted frameworks for use with SOX are COSO and CobiT“ accepts the COBIT framework above for security technology"
and section DS 5.8 requires
“Dedicated key storage devices and application.
There is a very good reason for this physical division between the key server and the location of secure data stores. In audit parlance it’s called “separation of duties.” Separation of Duties, or “SoD”, is an important internal control concept that helps prevent mischief by ensuring an adequate system of checks and balances exists. More specific to this topic, SoD makes sure that only the data owner can access sensitive information. The encrypted volumes live with your cloud provider, your keys stay somewhere else and only you have all the credentials to join the pieces. Whether your key management solution resides in your data center or with a trusted third party, only you control the credentials required to access all the necessary elements necessary to unlock encrypted data. And control is critical for operating safely in any cloud environment.
In summary four compliance requirements call for storing encryption keys securely and separately from the data, under the control of the cloud consumer.