Plate-spinning is a juggling act where the performer spins glass plates on sticks, trying to keep them all spinning at once without stopping and falling — gasp! – and breaking. Being responsible for data security at your organization, may feel like you are plate-spinning. Instead of plates, it’s the cryptographic systems that safeguard sensitive and critical data including credit card numbers, Social Security numbers, data from electronic security systems such as access control and video surveillance, and other forms of personally identifiable information (PII).

All that data is targeted by an increasingly diverse and sophisticated set of cyber threats. The global COVID-19 pandemic has posed additional challenges, including accessing data centers and “juggling” or repositioning your available security resources to meet the increase of remote employees. Encryption key management is more important than ever.

Key management requirements may vary across industries, but the core requirements are universal:

• Hardened Security
• Control
• Scalability

Fortunately, security professionals can deploy and scale a key management solution that best suits their current IT environment challenges by implementing hardware security appliances on-premises, integrating cloud crypto services, or a hybrid combination of both hardware and cloud.

On-Premise: Highest Level of Control and Compliance

On-premises key management gives organizations complete and isolated control over their encryption keys and certificates. Sophisticated key management solutions are essential to any cryptographic operation, especially when creating, managing, storing, distributing and retiring hundreds of thousands or millions of keys. Hardware security modules (HSMs) and key management servers work hand in hand and are the most secure way to generate and manage cryptographic keys.

It is important to consider the external security factors of on-premises deployments. Here are recommendations for enhancing security with your on-premises data center:

• Ensure data center security controls meet SOC 2 criteria and other industry-specific standards
• Use security appliances with “Puzzle Box” tamper-resistant design
• Implement dual control and split knowledge protocols
• Perform periodic security audits

Time to Rebalance: Shifting Workloads to the Cloud

If your organization is facing scalability issues, interruptions, or access failure, it might be time to extend or rebalance your critical infrastructure beyond your physical premises. While on-premises provides more control, the cloud offers alternatives to ease costs and logistical burdens. IDC predicts that by the end of 2020, 67% of enterprise infrastructure and software will be cloud-based. 

The cloud can increase capacity and facilitate remote access to vital business functions, offering access to on-demand scalability. Public cloud vendors offer various approaches to securing data in the cloud but may not meet organizational requirements needed to execute ideal key management practices. Businesses can lose control over cloud-derived keys, creating a barrier to efficiently managing multi-cloud applications. Alternately, businesses can manage and secure keys using hardware-backed cloud cryptographic services that combine hardware security features with the convenience and scalability of the cloud.

Here are tips for maintaining security in the cloud:

• Implement a Bring-Your-Own-Key (BYOK) approach for cloud data encryption.
• Encrypt cloud storage using AES-256 algorithm.
• Deploy multi-factor authentication.
• Set up and automate a data backup and recovery plan.
• Enforce strict user policies for external collaborators.

Considering a Hybrid Security Option

A hybrid cryptographic model combines on-premises hardware with cloud services to handle IT initiatives and scalability. Often, enterprise businesses operating on several continents opt to use a hybrid model to meet organizational mandates, including scenarios where highly sensitive files and data cannot be hosted outside of an on-premises data center or to maintain regional data storage restrictions. Other use cases include enhancing security system redundancy by constructing failover clusters using cloud services and application performance testing.

Eight Key Questions to Tackle

Whether you decide on an on-premises hardware solution, cloud or hybrid, there are solutions available to address every key management challenge. Here are eight questions to ask your team before building or upgrading your protection:

1. Do you have the resources and staff to maintain physical cryptographic appliances?
2. What is the vertical scaling limit of your current security infrastructure?
3. How big is your ecosystem?
4. Is offsite disaster recovery required?
5. Do you require clustering and peering?
6. What are your monitoring and analytics requirements?
7. Is outside expertise required?
8. Do you have current or upcoming mandates restricting cloud data storage?

These days, organizations are juggling resources, remote workers, compliance audits, spikes in demand, expenses, operational issues and more. Managing security of all the data coming through your organization is often a balancing act. Much like David Spathaky, who set the Guinness World Record for spinning 108 plates simultaneously, it takes crypto acuity combined with the best-fit solutions to keep your infrastructure securely spinning.