I am often asked about public cloud provider encryption key services like AWS KMS and Azure Key Vault. There are substantial differences between an Enterprise Key Management System (we have one) and the key services provided by Amazon and Microsoft (and Google has one, too). Enterprise Key Management Systems provide dedicated, full lifecycle key management under your exclusive control. Cloud key services provide a small subset of encryption key management support, in a non-dedicated, multi-tenant, shared environment.
Perhaps the best way to show the differences is in a side-by-side table comparing our Alliance Key Manager for AWS and Azure, and Cloud Service Provider (CSP) key services:
|
Feature |
Alliance Key Manager |
Cloud Key Service |
|
Standards |
||
|
FIPS 140-2 Compliant |
Yes |
Back end only |
|
OASIS KMIP compliant |
Yes |
No |
|
Operational |
||
|
Dedicated control |
Yes |
No, Shared Custody |
|
Cross cloud |
Yes |
No |
|
Mirror keys to on-premise |
Yes |
No |
|
On-premise to cloud seamless migration |
Yes |
No |
|
Backup off cloud |
Yes |
No |
|
Key mirroring across regions/zones |
Yes |
No |
|
Migrate to HSM |
Yes |
No |
|
Automatic failover across regions/zones |
Yes |
No |
|
VMware and Kubernetes |
||
|
VMware encrypted VM support |
Yes, certified |
No |
|
VMware encrypted vSAN support |
Yes, certified |
No |
|
VMware vTPM support |
Yes |
No |
|
Database & Application |
||
|
SQL Server TDE support |
Yes |
No |
|
MongoDB Enterprise Advanced support |
Yes |
No |
|
MySQL Enterprise support |
Yes |
No |
|
IBM DB2 support |
Yes |
No |
|
Drupal |
Yes |
No |
|
SDKs |
||
|
Java |
Yes |
Yes |
|
.NET (C#) |
Yes |
No |
|
Python |
Yes |
Yes |
|
C/C++ |
Yes |
Yes |
|
PHP |
Yes |
No |
|
Perl |
Yes |
No |
|
RPG |
Yes |
No |
|
COBOL |
Yes |
No |
