To the page content

Stay in control: Why managing your own keys in the cloud is essential

A hand holding the key for Magenta Security Key Management.ID.

Why is key management so important for public sector organisations?

The term ‘Bring your own device’ is now on everyone’s lips. The concepts of ‘Bring your own Key’ and ‘Hold your own Key’, on the other hand, are still relatively unknown. In the following, we will explore these terms in more detail and explain why having their own key management system is essential for public sector organisations. 

Data security in the cloud has become one of the cornerstones of modern IT strategies. For CISOs in the public sector, it is essential that sensitive information stored in the cloud is protected by robust security measures. Key management plays a crucial role in this regard, as it forms the basis for strong data encryption and access controls.

The use of cloud services without external key management that is independent of the cloud service provider presents a wide range of challenges and risks. Without direct control over encryption keys, organisations are exposed to potential security breaches that can lead to data loss, compliance violations and significant reputational damage. Furthermore, legal requirements such as the US Cloud Act and the GDPR necessitate the careful handling of personal and sensitive data. This is difficult to ensure without external key management.

The following section explains how independent key management both enhances security and supports compliance with regulatory requirements.

What is key management?

The term ‘key management’ refers to the handling of cryptographic keys within an organisation. The encryption and decryption of data is an important aspect of data protection. Cryptographic keys are used for this purpose, and the management of these keys is an essential component of an effective key management system. An effective key management system (KMS) ensures that these keys are securely generated, stored, distributed, used and, finally, deleted or archived.

Two methods of key management

An organisation has the option of setting up the management of encryption keys within the system or application that uses the keys. This is referred to as internal key management. When the management of keys is outsourced to a location outside the system, this is known as external key management. However, external key management can be implemented in various ways.

  • Bring your own key (BYOK): With BYOK, the organisation retains control over the generation and management of encryption keys, but passes them on to an external service provider. The organisation generates the keys itself and then uploads them to the provider’s systems or services, which are used to encrypt data.
  • Hold your own key (HYOK): With HYOK, the organisation not only retains control over the generation and management of encryption keys, but also retains physical control over the keys. Encryption and decryption are carried out exclusively by the organisation, with the external service provider having no access whatsoever to the keys.


The key difference between the two approaches is that, with HYOK, the organisation also retains physical control of the key. HYOK offers you the highest level of control and security. This approach significantly minimises the risk of potential data misuse, as the service provider is never able to access the data, even if it has physical access to the storage media.

In the next section, we will discuss and examine further potential risks associated with the absence of both in-house and outsourced key management.

Find out more now

Simply fill in the contact form – we’ll get back to you as soon as possible.

Risks associated with not having your own external key management system

Access under the US Cloud Act
The use of external cloud services without external key management increases the risk that confidential data may be accessed through government surveillance measures. The US Cloud Act allows US authorities to access data stored by US companies, regardless of whether that data is located on servers within or outside the US. For European organisations, this means that information managed by US cloud providers without adequate key management is potentially accessible. This raises significant data protection concerns.

Risks arising from data misuse and data breaches
Without an in-house, externally managed key management system, there is an increased risk of data misuse, as the keys required to decrypt the data are not entirely under the organisation’s control. This can lead to data breaches if, for example, unauthorised third parties gain access to the keys. Such breaches can not only result in financial penalties, but also cause lasting damage to the trust of customers and partners.

Now that we have highlighted the risks and it has become clear how important it is to have your own fully functional key management system (KMS), we will next look at the benefits of having your own key management system.

Advantages of in-house key management compared with standard encryption provided by cloud service providers

In-house key management offers several advantages over relying on the standard encryption services provided by cloud providers:
 

  • Compliance: Organisations have the option of adapting their encryption policies and procedures to specific requirements and compliance standards. This is particularly crucial for the public sector in order to ensure compliance with the GDPR or to meet the requirements of the NIS2 Directive.
  • Tailor-made solution: Having your own KMS enables a tailor-made security strategy that is specifically tailored to the organisation’s needs and security requirements. This is often not possible when relying on the standard tools and protocols provided by cloud providers.
  • Protection against unauthorised access by third parties: Using their own key management system enables organisations to protect their data from potential threats posed by unauthorised access by third parties. Even if an attack on the cloud is successful, the data is useless without the relevant key. This enhances the security of your data, particularly in environments where there is a higher risk of data breaches or attacks.
  • Separation of authorisations: Whilst authorisation structures in the cloud are already quite fine-grained, it is possible to use in-house key management to restrict control over central security keys to a small group of users.

    The implementation of in-house key management by organisations enables the maintenance of a robust security posture that offers solutions which are both flexible and compliant with EU data protection standards. Next, we will look at what can happen if an organisation has not implemented its own key management system.

Examples of real-world security breaches caused by inadequate key management

  • A well-known example is the incident at a major international company in which hackers gained access to inadequately secured data held by a hyperscale cloud provider and published sensitive information. This resulted in significant damage, including a loss of trust in the company’s security measures and substantial compensation payments.
  • Another case concerns the compromise of personal data belonging to millions of users of a healthcare platform. The keys were stored in a public cloud without adequate management. The resulting breach of data protection regulations led to heavy fines and legal consequences.
     

These examples clearly illustrate that the risks of not having an in-house key management system can be far-reaching. They highlight the need for organisations, particularly in the public sector, to implement an independent and secure key management system in order to ensure the security and confidentiality of their data.

Explanation of how it works and its technical specifications

  • Additional encryption: Magenta Security Key Management.ID utilises a dual-encryption technique. The data is first encrypted using a key, which is then itself encrypted using a second key. This method significantly enhances data security, as even if one key is compromised, the data cannot be decrypted without the second key.
     
  • Compliance with the GDPR and other relevant regulations: The system is designed to be fully compliant with the European General Data Protection Regulation (GDPR) and other relevant security standards and regulations. It ensures that all data protection requirements are met by guaranteeing the secure storage and handling of keys within the EU.

Benefits of the solution in the context of cloud security

  • Enhanced cloud security: Thanks to the additional encryption provided by Magenta Security Key Management.ID, organisations can protect themselves against data misuse in the event of a breach of the hyperscaler cloud
  • Flexibility and scalability: Magenta Security Key Management.ID offers a flexible and scalable solution that can be easily adapted to organisations’ growing security requirements.
  • GDPR compliance through our Trust Centre: The solution supports GDPR compliance by managing your central data keys for hyperscaler clouds in our Trust Centre, which is operated in Germany.
  • Multicloud key management: Our solution enables organisations to manage cryptographic keys across multiple clouds and technologies (AWS, GCP, KMIP, NAE) from a single central location.
  • BYOK and HYOK: Our solution supports both the BYOK and HYOK methods, which we described in the first section.
     

With Magenta Security Key Management.ID, we offer a technical solution that enables cloud operations to be designed securely and efficiently. At the same time, we meet the legal requirements for the protection of sensitive data.

Outlook for the future of cloud security and key management

The cloud security landscape is undergoing rapid change. This is driven by the increasing adoption of cloud technologies and the growing complexity of cyber threats. A key trend in this area is the increasing adoption of multi-cloud strategies. Whilst these offer organisations flexibility, they also present new security challenges. In this context, both in-house and external key management are becoming increasingly important, as they centralise and standardise security across different cloud platforms.

Furthermore, the concept of Zero Trust – whereby, as a matter of principle, no access is trusted without verification – is gaining in importance. Key management plays a central role here by ensuring that access rights and encryption protocols are strictly enforced. Technologies such as artificial intelligence and machine learning are also increasingly being used to make key management systems more intelligent and to make automated decisions regarding key rotation and renewal.

Conclusion: Key management as a strategic investment in security and compliance

Having your own key management system is more than just a technical security measure. It is a strategic investment that makes a significant contribution to a company’s resilience, compliance and competitiveness. Ensuring control over and the security of critical data is of paramount importance for companies in order to gain the trust of customers and partners whilst meeting regulatory requirements.

Telekom Security is one of the largest IT service providers for the public sector in Germany. We have successfully collaborated with the Federal Office for Information Security on numerous projects. This has enabled us to gain extensive experience in the digitalisation and security of the public sector.

We have been active in the field of Public Key Infrastructure (PKI) and key management in particular for many years, and through our Trust Centre we ensure, amongst other things, the authenticity of all electronic public transport tickets in Germany. We are, of course, happy to share our expertise with you on request. If you are interested in learning more about identity security, please feel free to take a look at our white paper for a comprehensive overview.

White paper: Key Management

Telekom Security Poster: You’re unique! Are you sure? With a fingerprint.

White paper: Key Management

Digital identities form the basis of digitalisation. This white paper explains why identity security is becoming increasingly important in the face of identity theft, regulation, SASE and Zero Trust – and outlines key security components.

Author's profile picture

Marco Klatt

Success through security – Telekom Security

“I’ve always been passionate about simplifying and optimising things. At Telekom, we’re working to support customers on their journey towards fast digital processes and to ensure that these are secure and protected – so that the state is safeguarded and remains functional.”

Curious? Click here to find out more: