When it comes to encrypting data in the cloud, encryption key management can get a little tricky. I sat down with Patrick Townsend, CEO and Founder of Townsend Security to ask: If key management is so important for compliance, how can organizations working in cloud platforms such as Microsoft Windows Azure be sure they’re deploying good key management?

First of all, when you’re encrypting data, you should never, ever store your encryption keys on the same server where your encrypted data is stored. When it comes to encryption key management for cloud applications, there are really 3 different models:

1. Use an external Hardware Security Module (HSM) as part of your own IT infrastructure.
This model allows applications running in Windows Azure to use encryption services or retrieve an encryption key through a secure connection to the key server placed in your own IT infrastructure. Using dual control and separation of duties, this is usually the best and easiest model for Cloud users and will help you to meet data security compliance regulations.

2. Outsource encryption key management to a physical hosting environment.
Rather than placing an encryption key management HSM in your own infrastructure, you can use a professional hosting company to hold your key management server in a high security hosting environment. With this model, your Windows Azure applications will communicate to the hosted key server off-site to perform encryption and key retrieval services.

3. Run Key Management in The Cloud.
Storing encryption keys in the cloud is generally considered a bad idea. The cloud is typically a less secure environment because its services are usually shared with other users. These services include disk space, memory, and other facilities that other companies may also be using. In a cloud environment there are more factors and complexities at play, and many unknowns about how the cloud provider protects the data. Even compliance regulations such as PCI-DSS mention these risks associated with the cloud. That’s why we recommend companies use an external HSM, ideally within their own infrastructure, to keep their encryption keys under their own control and eliminate unknown factors.

In the end, however, the model you use to store encryption keys isn’t the last step to protecting your data and meeting compliance. You must always, always, always, have a strategy for managing keys that includes dual control, separation of duties, and split knowledge. There are some companies using an external HSM for their keys and are still not meeting compliance regulations because they are managing their keys poorly.

Want to learn more? Check out the Podcast, “Securing Microsoft Windows Azure with Encryption and Key Management” to learn how to meet compliance regulations with encryption and key management, performance considerations, managing encryption keys, and what to look for when deciding on an encryption key management solution.