.svg){kind=small}
Key Management as a Service
We can provide BYOK and HYOK, alongside dedicated or shared services including hardware offerings. Our offerings are designed to reduce organisational cost while improving security posture.
Avoid Vendor Lock-in
Vendor lock-in prevents migration from one cloud provider to another. Without a viable migration option, cloud customers become dependent on their service provider and any subsequent service changes.
Enable Data Sovereignty
Data Sovereignty refers to when an organisation in one country sends and stores data in a separate geographical location. this can become a complex legal issue, particularly in reference to cloud-based service providers.
Reduce Cost
Costs associated with Key Management can rise upward into the millions. From training staff in niche skill areas, to setting up and adopting new systems. Cogito’s KMaaS services bring organisations cost-effective agility.
Enable BYOK and HYOK
BYOK allows clients to use keys not related from their cloud services vendor. They can generate their own key or use a third-party key provider. HYOK allows customers to keep their key in an on-premises service and manage all encryption and decryption with their own hardware.
Key Management Explained
Hackers aren't looking to break your encryption - they want to find your keys.
When data is encrypted a new key is created. Keys need to be protected to ensure the means to unlocking your data remains secret. Data encryption is classified in two types; symmetric and asymmetric. Each term refers to the respective number for keys used. Symmetric encryption uses one single key to encrypt and decrypt the data. In Asymmetric encryption, a public key encrypts data and a private key decrypts it. The public key can be freely distributed, however the private key must be kept very secure. Key Management is the procedure of protecting keys, this involves identifying who holds the keys; how they are generated; how they are distributed, and how they are rotated.
Key Management as a Service
Key Management as a Service (KMaaS) is a Cogito Group service that allows customers to securely store important keys for on-premises and cloud-based services that they consume.
KMaaS provides strong key control and security that can be used for the following:
- Protecting keys for Public Key Infrastructure (PKI) capability.
- Allowing encrypted storage in the cloud or on premises.
- Transparent Data Encryption (TDE) on Databases on premises or in cloud instances.
- Generating and managing API keys.
- Bring Your Own Key (BYOK).
- Hold Your Own Key (HYOK).
Benefits of Key Management as a Service
There are many benefits to the Cogito Key Management as a Service. Some of these are:
- Strong key control and security.
- Ability to recover keys from archive for reuse on new or existing services
- Cost reduction – reduce the cost of hosting specialised key management services.
- Expertise and compliance to best practise policies.
- Minimise risk and ensure your keys don’t leave a region or legal jurisdiction.
- Enhanced capability from wholistic key management.
- Allows easy transition out of a service as it avoids vendor lock in.
How Are Keys Managed in the Cloud?
There are three ways keys can be managed in the cloud:
- Vendor generated/provided Keys.
- Bring Your Own Key (BYOK).
- Hold Your Own Key (HYOK).
Vendor generated/provided Keys
Vender generated keys are where you generate and store keys using the vendors inbuilt services. Often these services, even including providers such as Microsoft and Amazon have lower standards than some organisations would accept for services they would run internally despite the greater risk presented by internet accessible services. An example is both vendors use FIPS140-2 Level ‘validated’ HSMs and state this on their websites. This is true. The hardware they use has been validated to FIPS140-2 Level 3 standard, however both vendors actually operate the HSMs in the lower FIPS140-2 Level 2 mode. Cogito provides a service that operates at FIPS140-2 Level 3 mode. The other important factor with vendor provided services is that keys generated in these services often cannot be exported or recovered. This results in being locked to a particular vendor for a service once data is better protected using encryption.
Hold Your Own Key
HYOK (Hold Your Own Key) is a method of key management that allows users to use their own on-premises hardware to perform encryption and decryption activities. Hold Your Own Key ensures that no one has access to your data without your approval.
Bring Your Own Key
BYOK (Bring Your Own Key) is a method of key management that allows users to retain control of their key management. Best practice for BYOK involves customers generating keys in strong, tamper resistant hardware security modules. The FIPS-140-2 Level 3 HSM configuration is considered by the National Institiute of Standards and Technology to be the most secure.
Critical Components
Each key management service's configurations are slightly different, including:
Key Storage
If a company stores both your encrypted keys and encrypted data they will be able to access this data. It is generally accepted that providers for encrypted keys and data should be kept separate to prevent them accessing your data.
Policy Management
Policies can be created for encryption keys to allow a company to create, revoke, expire and remove ability to share keys and data.
Authentication
Policies can be created for encryption keys to allow a company to create, revoke, expire and remove ability to share keys and data.
.png&w=256&q=75)
Authorisation
Authorisation allows users to access the data assigned to their roles and responsibilities. Best practice is to offer least privilege.
Our Experience
Partnering with global leaders in security technology
Our Experience
Partnering with global leaders in security technology
Experience secure PKI and Key Management
Cogito Group also provide managed PKIs or Public Key Infrastructure and Key Management as a Service. SecureSME combines the best security outcomes that can be achieved with a self-managed PKI at a reduced cost.
