It examines both the uses and misconceptions of key management systems (KMS), which are used to manage cryptographic keys and their metadata.
This guidance provides recommendations for using KMS in conjunction with cloud services to aid in meeting security and compliance requirements. It also makes suggestions for cloud service providers that provide key management functionality to customers.
Written by CSA’s Cloud Key Management working group, the document examines the following four primary cloud key management patterns that have emerged over the past decade.
- Cloud Native Key Management System: Here, KMS is built and owned by the same provider that delivers the cloud service the customer consumes, and all components of the KMS are in the cloud.
- External Key Origination: This pattern builds upon the Cloud Native model above, allowing for key generation ceremonies that originate with an external KMS.
- Cloud Service Using External Key Management System: The use of a cloud service where the KMS is hosted entirely external to the cloud service, either wholly on the customer’s premises, wholly hosted by a third party chosen by the customer, or a combination of the two.
- Multi-Cloud Key Management Systems: This pattern illustrates the ability to blend approaches for KMS implementations and cloud services.