Moving to the cloud without falling off a cliff – a cryptography perspective

While data breaches often come at a dire financial cost, the resulting loss of public trust can be even more costly in the long term.

With cloud adoption on the rise globally, some organizations nevertheless hesitate to move their customers’ data to the cloud. It can be seen as a risk to forfeit the hands-on control of on-premises cryptographic infrastructure in favor of a cloud solution hosted by another entity. To mitigate these perceived risks, some organizations favor private cloud solutions over the public cloud. No matter which cloud strategy an organization adopts, it should demand stringent security measures and ensure that all the applications meet the latest rigorous security standards. This is doubly true for banks and fintech, which deal with customer transaction data, to the point that banks are well advised to maintain Service Level Agreements (SLAs) with providers where essential metrics and measurements are discussed and documented.

HSM cryptography is the most reliable way to avoid the breach of data, and cloud platforms are quickly becoming the simplest way to deploy it. The power of the cloud has expanded to offer cloud-based key management as well as encryption, giving organizations more options to implement data security solutions and protect sensitive data. However, efficiency isn’t the only driver of cloud adoption. Due to the COVID-19 pandemic, more and more companies are investing in cloud computing services. While cloud services do improve the efficiency of an organization, they can also be susceptible to cyberattacks. To prevent such attacks, new encryption and authentication tools have been developed to prevent hackers from exploiting vulnerabilities in cloud computing systems.


Things to look for

Security is a top priority in nearly every industry. After all, maintaining security is crucial to maintaining consumer trust in your organization. While data breaches often come at a dire financial cost, the resulting loss of public trust can be even more costly in the long term. Hardware-based cryptography —in the form of HSMs and key management servers —is the best way to protect trust. However, the entry cost is high. Aside from the physical hardware, there is the effort to integrate it with existing applications, manage it on a day-to-day basis, to maintain it, and eventually upgrade it when the time comes. This can prove troublesome for startups or fintech, which need cryptographic capability at a lower cost.

This is where cloud-based cryptographic platforms prove their true worth. With hardware-backed cloud encryption solutions, organizations can design and deploy a complete cloud cryptographic platform on-demand, and even save time and effort while integrating it with their applications. Some  key advantages of hardware-backed cloud encryption solutions include:

  • Data localization: with data centers located in every geographic region, data residency is never a hassle
  • High security: These solutions  when run off of  industry-leading cryptographic modules, provide clients with hardware-backed security
  • Strict compliance: Hardware compliance with a wide range of global standards, such as PCI PTS HSM v3 ensure that clients get a universally-compliant cloud solution
  • Simple integration: Due to design features that support all common APIs, making the process of integrating hardware-backed cloud encryption solutions with existing applications becomes easier

Addressing the concerns

Despite the advantages apparent in cloud platforms, some industries and organizations have been slow to embrace them — particularly those organizations with large, legacy HSM infrastructures. To use a metaphor, bigger boats offer smoother sailing but are slower to turn. So, what is necessary to consider before steering the ship toward a cloud cryptographic solution?

Will adopting a cloud platform create more management duties?

Quite the opposite. With powerful multitenancy and virtualization options, you can run an entire cryptographic solution suite in a single pane of glass, managing an entire cloud platform from a centralized location. This helps avoid data siloes and IT sprawl while consolidating your infrastructure.

How will we ensure the same level of compliance?

Go with a cloud provider whose cloud solutions are based on highly compliant hardware. That way, every cryptographic function taking place in the cloud is directly running off a PCI-validated physical counterpart.

How will a cloud solution impact our ability to conduct audits?

In short, by making it easier and more transparent. A centralized management dashboard can deliver audit logging functionality, as well as real-time monitoring and alerting. All metrics are compiled and can be exported into different formats depending on your system.

Will we lose any amount of control over our and our customer's data?

Organizations that adopt cloud solutions typically expand their options for control. Not just through more efficient management, but through innovative cloud-based services such as bring your keys (BYOK), remote key loading (RKL), and support for Google External Key Manager (EKM) and Client-side encryption.

Do cloud platforms create security risks in the form of user access?

On the contrary, it is easy to manage user permissions and separation of duties with cloud platforms. Horizontal and vertical separation of user privileges includes cloud admin super-users. 


Today, many organizations host their critical applications with a public cloud provider and implement data security using a cloud HSM service. These organizations reap the benefits of hosting in the cloud – flexibility, customizability, reduced cost – and maintain a high standard of hardware-backed security. Organizations self-manage the connection between their applications and their cloud HSMs.

 - The author is Vice President – South Asia, Futurex



Add new comment