Читать книгу The Official (ISC)2 CCSP CBK Reference - Leslie Fife, Aaron Kraus - Страница 71

Cryptography is essential in the cloud to support security and privacy. With multitenancy and the inability to securely wipe the physical drive used in a CSP's data center, information security and data privacy are more challenging, and the primary solution is cryptography.

Data at rest and data in motion must be securely encrypted. A customer will need to be able to determine whether a VM or container has been unaltered after deployment, requiring cryptographic tools. Secure communications are essential when moving data and processes between CSPs as well as to and from on-premise users. Again, cryptography is the solution.

One of the challenges with cryptography has always been key management. With many organizations using a multicloud strategy, key management becomes even more challenging. The questions to answer are

 Where are the keys stored?

 Who manages the keys (customer or CSP)?

 Should a key management service be used?

In a multicloud environment, there are additional concerns:

 How is key management automated?

 How is key management audited and monitored?

 How is key management policy enforced?

The power of a key management service (KMS) is that many of these questions are answered.

The KMS stores keys separately from the data. One benefit of encrypting data at rest is that many data breach laws provide an exemption if the data is encrypted securely. This benefit disappears if the encryption/decryption keys are stored with the data. So, if keys are to be stored in the cloud, they must be stored separately from the data. Outsourcing this has the benefit of bringing that expertise to the organization. However, like any outsourcing arrangement, you cannot turn it over to the KMS and forget about it. Someone still needs to oversee the KMS.

Using a KMS does not mean that you turn over the keys to another organization any more than using a cloud file repository gives away your data to the service storing your files. You choose the level of service provided by the KMS to fit your organization and needs.

The last three questions—automation, monitoring and auditing, and policy enforcement—are the questions to keep in mind when reviewing the different KMSs available. Like any other service, the features and prices vary, and each organization will have to choose the best service for their situation. A number of CSPs offer cryptographic KMSs. This KMS makes a multicloud environment scalable.