Skip to Content
Business Trends
Author's profile photo Anastasia Sizensky

Key Management Service: The Foundation of Cloud Security



In the boundless realm of cloud computing, there exists a silent guardian – the Key Management Service or KMS. The importance of a KMS? Well, imagine your data as a house with the doors wide open, with nefarious hackers ready to steal all your precious data – this is the world without a KMS. In this world, the KMS takes the role of a digital locksmith, entrusted with creating, distributing, storing, and rotating the keys of the houses in its jurisdiction. In this article, we will discuss the role the KMS takes in a cryptographic keys lifecycle, the importance of the KMS in cloud security, and best practices for implementing a KMS in your company. 


Understanding Key Management Service (KMS) 

The KMS follows the complete lifecycle of a cryptographic key from initial generation, usage, storage, rotation, and eventual revocation and deletion. The KMS keys are used in encryption, decryption, and user access management – all essential parts in protecting the “crown jewels” of an organization. Since keys are an invaluable part of an organization’s security, it is imperative that each part of the key’s lifecycle is secured. When a key is generated, it must be created with a truly random seed and a strong cryptographic algorithm, such as RSA 2048. When a key is used, special care must be taken to not leak any information about the underlying algorithm that created the key. While a key is in storage, there must be a guarantee of security, which is usually provided by a tamper-resistant Hardware Security Module (HSM) or a cloud based HSM. Most organizations require keys to be regularly rotated as many industry standards, such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS), require key rotation as a compliance requirement. To help mitigate the risk and exposure window of key compromise, keys are deleted based on a predefined key-expiration date. This date is usually determined based on the sensitivity of the data the key is protecting or on company policy. The KMS plays an integral part in each phase of the key’s lifecycle and can help a company alleviate the burden of securely implementing, maintaining, and controlling a cryptographic key. 


Key Management Lifecycle


Different Types of Key Management Services 

To fully understand the role of the KMS it’s important to first be aware of the different types of encryption management services. There are three main strategies for holding and maintaining encryption keys, namely Bring Your Own Key (BYOK), Hold Your Own Key (HYOK) and Control Your Own Key (CYOK). In the BYOK system, instead of the KMS creating the cryptographic key for the client, the client provides their own key to the KMS. BYOK can be beneficial if a client has a need to change cloud or KMS providers, but it also comes with the added responsibility of maintaining back-ups for the keys. With HYOK, the client has full control over their keys, which remain in their possession at all times. The client’s data remains encrypted when it is in the possession of the cloud provider and is only decrypted when it is back in the possession of the client. For some highly regulated industries such as the financial or healthcare sectors, HYOK may be beneficial because of the added data security and adherence to certain compliance requirements. In the CYOK method, the client is able to maintain some control over their keys, as the client creates their own keys and controls their keys lifecycles. These keys are stored in the possession of the cloud or KMS provider, either within a hybrid on-premise environment or within a virtual node in the cloud.  


SAP Data Custodian offers a cloud-agnostic KMS that is built with a FIPS 140-2 Level-3 Compliant Hardware Security Module. As previously mentioned, a HSM is a securely hardened physical device that can be used in many aspects of the key’s lifecycle but especially during provisioning and storage. Cloud based HSMs provide the same functionality as an on-premise HSM with the added perk of allowing an organization to benefit from the convenience of using a cloud service deployment to control the hosting and maintaining of the service. It is vital to use either a FIPS Level-3 or Level-4 certified HSM, as these standards require rigorous testing and a certification process to validate the security features of the HSM. 


How KMS Contributes to Cloud Security  

A cryptographic key leak could compromise an entire system, as all the locked data is accessible to anyone who holds the key. All the hard work of implementing a sophisticated encryption system would be negated if a key fell into the wrong hands. There are many ways a key can become compromised, with the most common being accidental disclosure, either because of a data breach or insider threats; side channel attacks or attacks that try to gain information about the key based on the specific implementation of the encryption algorithm; or software vulnerabilities, such as using the randint() function in Python to generate the random seed. Although using a KMS will not prevent certain types of client-side vulnerabilities, a reputable KMS will protect against insecure key storage, misuse of keys, unauthorized access, and weak key generation – thereby protecting the confidentiality and integrity of your keys. 


Implementing a separation of duties and the principle of least privilege are fundamental security practices and an essential part of a KMS. After all, you wouldn’t want all your employees to have access to your valuable keys. Usually, a KMS separates the user roles into three categories: a key administrator, a key user, and a system auditor or administrator. These roles may go by different names depending on the KMS provider but follow the same general responsibilities. The first user that is onboarded to a KMS is the service administrator. This user is able to create other users, assign user roles, and are usually able to view audit logs and other service usage data. Their role is separated from any key management functions, and they do not perform any auditing. The key administrator is the user who is responsible for key management operations but does not actually use the keys. The key user should only have permissions to access and work with the keys that they are required to use based on the key management policy established before key provisioning. Most KMS providers offer an auditor role as well. This auditor role usually has read-only privileges for audit logs and service tickets, which are used for action tracking and compliance reporting. By administering these separation of duties human error, fraud, and repudiation can be prevented.  


Best Practices for Using KMS  

Using a KMS effectively is crucial for maintaining the security posture of an organization. Many important security protocols can be defined in the security policy that a KMS uses, including but not limited to: segregating duties in a team, defining the frequency of key rotation, and defining the conditions for key deletion. Auditing and monitoring a KMS account are also critical aspects to a properly administered KMS. These processes ensure that encryption keys are used appropriately and securely, enabling the detection of any unauthorized access or anomalies in key usage. They provide insights into who is using the keys, when, and how they are being utilized. Auditing allows for a comprehensive review of security controls, operations, performance, and documentation, while monitoring provides real-time visibility into system operations. Together, auditing and monitoring enhance system security, help maintain compliance with regulations, and foster trust in the integrity of the cloud-based system. 


Challenges and Solutions in Key Management  

Organizations often encounter various challenges when first implementing a KMS. KMS systems can seem daunting at first, as they do require a basic knowledge of cryptographic keys, security protocols, and system integration. Compliance requirements can be a significant challenge, especially if a company works in multiple regions with numerous industry-specific regulations. Another common challenge is key proliferation, as the generation of numerous keys can lead to difficulties with key management.  To overcome these challenges an organization should look for a KMS provider that offers an easy-to-use solution with built in compliance, key management, data transparency, and a variety of different system integrations. SAP Data Custodian provides a centralized KMS with full key lifecycle management, built in role-based permissions, geographic control policies, options for further granularity and more. SAP Data Custodian can also be easily connected to several major cloud platforms including: AWS, GCP, Azure, and SAP HANA. To learn more about how you can utilize a KMS to protect your SAP data or for additional information on whether SAP Data Custodian would work for your team, reach out to the SAP Data Custodian team.      


Learn more about KMS at SAP: 

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.