THE NEED FOR CUSTOMER KEY CONTROL
Many infrastructure-, platform-, and software as a service providers offer data-at-rest encryption capabilities with encryption keys managed by the service provider. Meanwhile, industry or internal data protection mandates, as well as industry best practices as defined by the Cloud Security Alliance, require that keys be stored and managed remote from the cloud service provider. Providers can fulfill these requirements by offering "Bring Your Own Key" (BYOK) services to enable customer control of the keys used to encrypt their data. Customer key control allows for the separation, creation, ownership and control, including revocation, of encryption keys or tenant secrets used to create them.
MULTI-CLOUD KEY LIFECYCLE MANAGEMENT
The CipherTrust Cloud Key Manager fulfills industry or internal data protection mandates, ad reduces key management complexity and operational costs by giving customers lifecycle control of encryption keys with centralized management and visibility.
SECURE, REMOTE KEY STORAGE
The CipherTrust Cloud Key Manager utilizes the Vormetric Data Security Manager (DSM) for secure key storage. The CipherTrust Cloud Key Manager can communicate with a FIPS 140-2-compliant DSM physical or virtual appliance on your premises or elsewhere.
COMPREHENSIVE KEY MANAGEMENT
Already created thousands of keys at your cloud provider? CipherTrust Cloud Key Manager will synchronize its database with keys created at the cloud provider. Key attributes, such as creation and expiration rules as well as key usage options are all maintained securely. You can delete a key from Cloud Key Manager or in the Cloud administration portal. Since the DSM performs key escrow, it is still possible to restore or recover a deleted key from the DSM.
WHAT IS A KEY ESCROW?
Microsoft defines a “Key Escrow” as any service that preserves
encryption keys between multiple management consoles to guard against unintended data loss.
CAPABILITIES FOR ENHANCED IT EFFICIENCY
CipherTrust Cloud Key Manager offers multiple capabilities in support of enhanced IT efficiency:
- Federated login information from each cloud provider
provides the simplest mechanism for granting user access
to key data. Each cloud service login is authenticated and authorized by the service provider – no login database nor AD or LDAP configuration is required.
- Centralized Key Management gives you access to each supported cloud provider from a single web tab. Further, since key terminology and semantics vary per provider, the Cloud Key Manager instantly provides key operation presentation in the language of the cloud provider.
Visit www.thalesesecurity.com to learn how our advanced data security solutions and services deliver trust wherever information is created, shared or stored.