Thales, Microsoft serve secure crypto in the cloud

Thales, Microsoft serve secure crypto in the cloud

Summary: Microsoft and Thales e-Security have deployed an architecture for encrypted cloud storage where you, the customer, control the keys and the provider has none.

TOPICS: Security, Cloud

Are you concerned about the security of your data in the cloud? Of course you should be, even if you're just an isolated consumer. But what if you're responsible for the security of data for an enterprise?

The economics of cloud computing are too compelling to ignore. How can you minimize the amount of trust you must place in the cloud provider? The answer involves hardware security modules (HSM).

An HSM is a hardware device which stores and manages encryption keys and performs other cryptoprocessing. They are used in high-value situations. Microsoft uses HSMs to generate the code signing keys for Windows. The IANA uses HSMs to generate keys for and to sign the DNSSec root zone. That kind of high-value. The keys and other internal memory of the HSM are inaccessible to the outside and the device can be set only to operate with specific authorization.

In the normal design of a cloud service like or Windows Azure, you don't completely control the encryption keys, assuming your data is encrypted at all. Combined iwth other good security practices, HSMs can minimize the points of risk for unencrypted data to become accessible outside of your control.

Thales e-Security and Microsoft have come up with the architecture for a solution for enterprises. It uses HSMs hosted in the cloud, but administered by you. The actual announcement is related to the use of Microsoft's Windows Azure Rights Management Service (RMS). Enterprises can use a Thales HSM on-premise to generate a "tenant key" and securely transfer it to Thales HSMs running in in the Azure cloud.

Even though the HSM in the cloud generating and managing the keys belongs to Microsoft, Microsoft cannot access those keys. Thales calls this "Bring Your Own Key" (BYOK).

This specific offering is interesting and useful, but I'm more interested in the fact that it's an architecture that can work more generally in the cloud for customer key management. This solution is Thales-specific.

All security comes down to issues of trust at some level. You want to know where you are trusting someone else and to secure that transaction as much as possible. In this case, the main trust point is the HSM itself. You don't know for a fact that the device doesn't have some secret back door for the NSA. Companies like Thales depend absolutely on trust for their survival. Even a significant, unintended vulnerability would be a major problem for such a company, but a back door would be disastrous. Nobody would or should trust an HSM company that would do such a thing.

But if you're going to try to do security right, you have to trust someone. HSMs may be the way actually to minimize trust in the cloud. Better to trust the HSM company than the cloud provider.

Topics: Security, Cloud

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • "You have to trust someone"

    Maybe, but why would you want to trust anyone who has already been shown to blithely cooperate with people who want to break your security? The NSA revelation has done a lot to shake confidence in any cloud solution at all. We had already made the decision not to store any financial data in the cloud, now with new hints of industrial and economic spying, we are questioning if there is *any* corporate data that is "safe" for the cloud.
    terry flores
  • The best security cloud systems are the ones

    where the host throws away their copy of the key, which might be as good a way of looking at it as "bring your own key." I support Microsoft and Thales approach here, and I hope they do well with it.
  • Of course, you have to trust their software...

    to not give away the keys.

    It also doesn't scale well. A lot of "cloud" offerings is to provide an "on-demand" computing capability. That doesn't work if the keys are not "in the cloud" to start with.

    Already been that route. Engineering prototype did that, but the problem was having to also distribute the keys. If you don't then all you get is a slow backup service.
    • the keys are in the cloud

      I'm not sure of your point, but with the Thales scheme, the keys are in the cloud