Digitial Sovereignty: Hold Your Own Keys (HY

There’s a feeling that on-premise Cloud based systems are always more secure. This is just not the case, and where a data infrastructure…
Photo by Amol Tyagi on Unsplash

Digital Sovereignty: Hold Your Own Keys (HYOKs)

There’s a feeling that on-premise Cloud-based systems are always more secure than fully public cloud solutions. This is just not the case, and where a data infrastructure running in a public cloud environment can be even more secure. Why? Well, few companies properly run data encryption and strong access control on their on-premise systems, but in the public cloud, organisations are being increasingly pushed towards encryption by default.

In AWS, you have the choice of using AWS’s encryption keys for your data, such as in storing data within S3 buckets. But, we can also use the KMS (Key Management System), and where Alice can generate her own keys. These can then be stored in a FIPS 140–2 compliant HSM (Hardware Security Module):

Overall, AWS should not be able to get access to the keys in the HSM. But let’s say that you don’t even trust Amazon to have your keys in the HSM, the solution to this is to have an external key store. For this, we can use a Hold-Your-Own-Keys (HYOKs) approach, and where Alice stores and generates the keys in a custom key store and then links to the KMS:

In this way, there is a physical separation between the key store and the Cloud infrastructure. This AWS defines as digital sovereignty, and where no entity in AWS will able to read any of the encrypted data. This external system can either be a physical HSM or a virtual HSM. It is these HSMs that will perform the operations and not the AWS HSM. There is no actual interaction between the KSM and the external HSM, and the KSM never gets to know the keys used. With this, the customer provides an external key store (XKS) proxy, and which details with the requests from the AWS KMS:

The customer’s keys can then be used for client-side encryption (such as with the AWS Encryption SDK). They can also be used for server-side encryption, too. But, while AWS should have strong resilience, it is important that the external key store is well managed and resilient — otherwise, the encrypted data is unlikely to be recovered.

Conclusions

For most organisations, the AWS-hosted HSM is enough, but for high-risk data, the HYOK approach may hold some advantages, especially where the keys need to be stored on-premise.