Fortanix DSM - Cloud Data Control - Getting Started

1.0 Introduction

Welcome to the Fortanix-Data-Security-Manager (DSM) Cloud-Data-Control (CDC) getting started guide.

Fortanix DSM’s Key Management System allows organizations to Bring Your Own Key (BYOK) for Cloud Service Providers (CSPs) such as Microsoft Azure, Amazon AWS, and Google Cloud. This functionality is called Fortanix Cloud Data Control (CDC).

1.1 Cloud  Data Control in Fortanix

BYOK-Intro.png

Figure 1: Cloud Data Control in Fortanix

Cloud Data Control (CDC) allows an organization to protect its data that is stored and managed in a cloud environment. The Fortanix CDC solution supports multi-cloud migration by giving organizations the flexibility to efficiently manage keys, secrets, and tokens, in multiple ways, across public and private clouds, from a single, unified platform. 

1.2 Fortanix Cloud Data Control Benefits

Fortanix Cloud Data Control helps Customers in 3 ways:

  • Inventory and key management at scale across multi-cloud environments

    • Enables inventory regardless of how or where keys were generated across multi-cloud.

    • Enables key replication, key backup, and key rotation across multi-cloud and/or multi-region and/or multi-tenant, and so on.

    • Enables multi-cloud users to use the same workflow and, if needed, the same APIs to do what would be different functions across different cloud vendors.

    • Enables cloud migration.

  • Following the Zero Trust Framework, allows for more stringent and automated controls across multi-cloud.

    • Enables (optional) Quorum (multi-user) approvals to delete, disable, enable, rotate, encrypt/decrypt data in the cloud, and everything in between.

    • Enables cryptographic policies to be enforced through software rather than paper processes that are difficult to enforce across different teams, resulting in lower or no fines from 3rd party auditors. This feature also includes tracking for keys already out of policy.

  • Increase security posture in the cloud by separating keys and data.

    • Remotely disable keys from outside the cloud/SaaS if admin accounts are compromised, to stop data leaks.

    • Tighter permissions for different groups of users to follow the Principle of Least Privilege (PoLP).

    • FIPS 140-2 Level 3 generated keys, without needing to buy cloud-based HSMs per region.

    • Post-quantum ready!

    • Solves the limited algorithm support by CSPs.

    • Enables tamper-proof audit logs.

2.0 Concepts

2.1 Fortanix Concepts

  • DSM Group - A Group Created in DSM that is not backed/linked by HSM or External KMS, such as Cloud Key Repository.

  • DSM Security Object - A DSM Security-object is any datum stored in Fortanix DSM (for example a key, a certificate, a password, or other security objects) that contains the key material and is depicted using an iconKey.png. Each security object is assigned to exactly one group. users and applications assigned to the group have permission to see the security object and to perform operations on it.

  • CDC Group - A Fortanix Group backed or linked by Cloud Key Repo, such as AWS KMS, Azure Key Vault, or GCP Key Ring.

  • Fortanix DSM Source Keys - These are keys that are generated inside Fortanix DSM in a Fortanix DSM group and copied/imported as “virtual linked keys” into CSP key repositories (KMS/Key Vault/Keyring) so that the access to keys can be managed separately for each key repository. You can tell if a key is a source key by the color of the icon in Fortanix DSM.
    The Fortanix DSM source keys not only provide a solution for key replication but also an extra level of key backup.

  •  Linked Keys - The source key can be distributed to multiple CSPs, different accounts/regions, and/or different key repositories, and even on-premises, using the "Copy" command, creating Virtual-Keys or key copies, and tracking them by key links. The linked keys can also be rotated all at once by rotating the source key and selecting the "Rotate Linked Keys" option to prevent manually having to update keys in multiple locations. Linked keys can also be rotated on a schedule by setting a key rotation policy on the source key and selecting "Enable key rotation for all copied/linked keys". For more details, refer to AWS BYOK Key rotation.

    SourceVSlinkedKey.png

    Figure 2: DSM Source key vs Linked key

  • Virtual Keys - Virtual keys are keys for which Fortanix has the key metadata but not the key material itself in a specific group. Virtual keys are created when Fortanix inventories, generate local CSP keys or “CNKM Keys” (Cloud Native Key Management) or have a linked key to a CDC group. You can tell if a key is a virtual key or linked key by the color of the icon  VirtualKeyIcon.png in Fortanix DSM.  

    VirtualKeySO.png

    Figure 3: Virtual key in DSM UI

    A key can be both a linked key and a virtual key, but a linked key can also be a key copy.  

    VirtualKey.png

    Figure 4: Virtual key

  • CDC Security Objects - Are Linked and/or Virtual Keys in a CDC Group, that can be BYOK or CNKMS generated.

For detailed definitions, see our Overview and Definitions guide.

2.2 Cloud Concepts

  • Cloud Key Store – The generic name for AWS KMS, Azure Key Vault, and GCP Key Ring.

  • Cloud Native Key Management Service (CNKMS) – Fortanix can also inventory CNKM keys in CSPs by creating virtual keys in Fortanix. A “virtual key” in Fortanix does not have key material but is just a metadata inventory of the cloud key. Fortanix can also disable and enable the keys remotely if a cyber-attack were to happen, as well as perform any other key management task, such as create, delete, tag, soft or schedule delete, and so on., with or without a quorum.

  • Bring Your Own Key (BYOK), also known as Customer, Managed Key (CMK) or (Figure 2) – BYOK keys in Fortanix DSM are the Linked or Copied virtual keys generated from the source key and provide key backup and key replication to other CSP accounts/subscriptions, regional instances, key repositories, and, most importantly, to multiple cloud providers, including private clouds. Fortanix DSM’s ability to move keys between the private cloud (on-premises), which allows you to use keys on-premises and in the cloud, and vice versa, is a very unique offering. BYOK keys can help you track when a key or key material has been deleted or disabled in your multiple CSP key repositories and help restore them.
    Fortanix can also disable, delete, soft-delete, or schedule-delete the BYOK keys remotely if a cyberattack were to happen, making it hard for cybercriminals to steal or exfiltrate data that is not encrypted, with or without a quorum. 

  • Bring Your Own KMS (BYOKMS), also known as External Key Manager (EKM or XKS) – This is currently only available through Google’s GCP and AWS External Key Store (XKS). Google EKM and AWS XKS, allow you to store and manage encryption keys outside of the Google/AWS Cloud in an external key management service such as Fortanix DSM. External key management with Fortanix DSM provides users with complete control of their keys since the key material never leaves Fortanix DSM, including logging, which usually requires a separate tool.
    The Google Cloud Platform (GCP) introduces new services that support EKM regularly. This list can be found at the link below:
    https://cloud.google.com/kms/docs/ekm#supported_services

    Amazon Web Services (AWS) introduced AWS XKS support for all AWS services.

  • Hold Your Own Key, or Double Key Encryption (DKE) - This may also fall under BYOKMS, which allows you to hold your own key for services like Azure M365 and Google Workspace CSE. In this case, Fortanix protects the keys in Azure or GCP by wrapping or enveloping them, allowing a kill switch to disable access to various services in Azure or GCP, but the Fortanix DSM key never leaves Fortanix.

  • Bring Your Own Encryption (BYOE) - BYOE is the most secure method of encryption in the cloud. It is the process of having the data, database, or application inside a cloud virtual machine (VM) running Windows or Linux OS, that uses keys directly from a Fortanix HSM rather than storing the keys with the data in the Cloud Service Provider’s (CSP) Key Repositories.

3.0 Operational Inefficiencies

3.1 The Problem

Consider a scenario where a customer has multiple teams, each with multiple users, all creating keys in the KMS. One of the biggest challenges that Fortanix sees with this approach is when one user might delete another team's key by accident or maliciously. Another challenge is enforcing cryptographic policies. When new employees are poorly onboarded, users who do not create keys often forget that policies exist. This creates an endless cycle of auditing keys and remediating issues, with the possibility of incurring fines from external auditors.

3.2 The Solution

Manage all key administration from Fortanix, by disabling key management from CSPs, customers can enforce crypto policies at the software layer, and have quorum or 2(+) user or team authorization, and RBAC to avoid malicious actions like deleting keys or validating that teams are following the process of creating tickets and changing controls before creating and/or rotating keys.

In a Zero Trust world, we should have software-driven policies rather than paper policies that no one reads.

Although Fortanix UI is simple to use, if you have developers or DBAs who do not use the UI frequently enough to be familiar with it; simply give them the REST API or Fortanx DSM SDKs to create or delete, tag, or rotate keys, and the Security team can simply accept them through Quorum policies.

4.0 Fortanix CDC with AWS

AWS allows customers to integrate with AWS Services using KMS or the AWS XKS option. The following guides will show you how to set up your CDC group to start managing KMS keys with either CNKMS, BYOK, or BYOKMS workflows, as outlined in the following sections. For any non-AWS services, please consider using BYOE.

4.1 AWS KMS Set Up

AWS allows customers to integrate with AWS Services using KMS. To set up your AWS CDC group, refer to User's Guide: Fortanix DSM AWS External KMS Setup

4.2 AWS Cloud Local Native Key Management Service (CNKMS)

With Fortanix Local Key Management for AWS, customers can inventory, report, and achieve key lifecycle management in a centralized UI with a consistent REST API across multiple CSPs, different accounts, subscriptions, regions, and/or different key repositories.
Customers can also automate key rotation for a key in a single KMS region at any time interval with a single click or a scheduled policy.
For additional levels of security and management, see the BYOK or BYOKMS sections.

To perform native key lifecycle management in AWS KMS using Fortanix DSM, refer to the User's Guide: Fortanix DSM AWS KMS Cloud Native Key Management.

4.3 AWS Bring Your Key (BYOK) Using Source Key

Advantages to BYOK for AWS KMS with Fortanix include enabling customers to generate FIPS 140-2 Level 3 backed keys for better entropy (stronger encryption), compliance, and governance. Cloud Security also improves by adding a key backup in Fortanix. Customers, if they choose, can delete key material from an AWS ARN, so the key stops working immediately, and simply restore the key material to make the key work again; there is no need to point services to a new ARN. In AWS KMS, unlike disable/enable or scheduled delete, this process cannot be reversed even with admin access. This would also protect against a potential attack where a cybercriminal was to back up your cloud keys, delete and purge them, and then try to ransom a customer for the key backup to restore the deleted keys.

Improved key rotation with Fortanix BYOK customers can automate key rotation of source keys, which handle key distribution and/or replication of the newly rotated key across multiple CSPs, different accounts or regions, and/or different key repositories, and even on-premises if needed, to enable cloud migration, in a single click or scheduled policy.

With Fortanix BYOK Management for AWS, much like CNKMS for AWS, customers can also inventory, report, and achieve key lifecycle management in a centralized UI with a consistent REST API across multiple CSPs, different accounts and regions, and/or different key repositories. 

AWSCustomerManagedKeys.png

Figure 6: AWS Bring Your Own Key

To perform BYOK key lifecycle management in AWS KMS using Fortanix DSM, refer to the User's Guide: Fortanix DSM AWS KMS Bring Your Own Key.

4.4 BYOKMS with AWS External Key Store (XKS)

Advantages of  Fortanix BYOKMS with AWS XKS include:

  • The users have complete custody of their keys and full control over the data encryption policies within AWS. This control helps them specify the location of the keys and from where they may be accessed.

  • Fortanix DSM offers comprehensive audit logs, that users can use to show that their security controls follow rules like the GDPR.

  • AWS provides strong key protection, and Fortanix does not compete with these functions. Instead, Fortanix provides segregation of duties with external, granular access control.

To perform BYOKMS key lifecycle management in AWS XKS using Fortanix DSM, refer to the Fortanix DSM with External Key Store.

5.0 Fortanix DSM with Azure

Azure has two options for key vaults that integrate with Azure services. The following guides will show you how to set up your Azure CDC group to start managing keys with either CNKMS or BYOK workflows, as outlined in the following sections. For any non-Azure services, please consider using BYOE.

5.1 Azure Key Vault Setup

This section will walk you through setting up your Azure Key Vault CDC group. For more details, refer to User's Guide: Fortanix DSM Azure Key Vault Setup.

5.2 Azure Managed HSM Setup

The Fortanix solution for Premium Tier Azure Key Vault  Managed HSM KMS offers complete Bring Your Own Key (BYOK), lifecycle management,  and automation of Azure Managed HSM keys, enabling users to manage all keys centrally and securely.

5.3 Azure Cloud Native Key Management Service (CNKMS)

With Fortanix Local Key Management for Azure, customers can inventory, report, and achieve key lifecycle management in a centralized UI with a consistent REST API across multiple CSPs, different accounts, regions, and/or different key repositories. 
Customers can also automate key rotation for a key in a single Azure Key Vault at any time interval with a single click or scheduled policy.

For additional levels of security and management see BYOK or BYOKMS sections.

Azure_Key_VaultCNKMS_updated.png

Figure 6: Azure Key Vault CNKMS

To perform native key lifecycle management in Azure Key Vault using Fortanix DSM, refer to the User's Guide: Fortanix DSM Azure Kev Vault Cloud Native Key Management.

5.4 Azure Bring Your Own Key (BYOK) Using Source Key

Advantages to BYOK for Azure with Fortanix include enabling customers to generate FIPS 140-2 Level 3 backed keys for better entropy (stronger encryption), compliance, and governance. Cloud security also improves by adding a key backup in Fortanix. Customers, if they choose, can delete a key from Azure and restore the key to make the key work again by repointing services to the restored keys. Unlike disable/enable, or soft delete, this cannot be reversed, even with admin access to the Azure Key Vault. This would also protect against a potential attack where a cybercriminal was to back up your cloud keys, delete and purge them, and then try to ransom a customer for the key backup to restore.

Fortanix can automate key rotation of source keys, which handles key distribution and/or replication of the newly rotated key across multiple CSPs, different accounts or regions, and/or different key repositories, and even on-premises if needed to allow cloud migration, with a single click or a scheduled policy.

With Fortanix BYOK Management for Azure, much like CNKMS for Azure, customers can also inventory, report, and achieve key lifecycle management in a centralized UI with a consistent REST API across multiple CSPs, different accounts, and regions, and/or different key repositories. 

Azure_Key_Vault.png

Figure 7: Azure Key Vault BYOK

To perform BYOK key lifecycle management in Azure Key Vault using Fortanix DSM, refer to the User's Guide: Fortanix DSM Azure Key Vault Bring Your Own Key.