KeyNexus
https://keynexus.net

A New Approach to Key Storage in AWS

Key storage for S3, EC2 and more

KeyNexus for AWS Overview

Amazon Web Services (AWS), offers a powerful platform to IT teams embracing the possibilities of elastic scale.  KeyNexus supports an array of integrations and use cases that can help any enterprise significantly improve the security posture of Amazon Web Services workflows.  As a pioneer in universal, platform agnostic key management and storage, KeyNexus offers direct integration with numerous services and use cases across AWS.  We also support custom, API-driven integrations into Amazon Web Services workloads.

KeyNexus leverages AWS’s native platform and service-level security (Identity and Access Management (IAM) and embedded encryption) to further secure customer key management workflows we enable.

KeyNexus for AWS S3

Object storage is a natural fit for embedded server-side encryption and AWS has offered just that. More importantly, AWS now recognizes the importance to enterprises to externally own and manage their encryption keys and now offers a ‘Customer Provided Key’ option to this encryption service. Enterprises are now able to invoke S3 server-side encryption, with customer provided keys (SSE-CPK), via AWS APIs, however, they are still left with the daunting challenge of securely storing, managing and provisioning these keys 24×7 into these S3-consuming workflows. This is where KeyNexus comes in. KeyNexus has integrated with these same AWS APIs so that enterprises can quickly and easily benefit from S3 encryption while having complete assurance that they exclusively own and control their master encryption keys.

KeyNexus for AWS EC2

A common request from customers is the requirement for full volume encryption within AWS EC2, on-premise hosted volumes and within other public clouds. On AWS, KeyNexus addresses this requirement in two ways. The first is that KeyNexus customers are free to leverage our APIs to provision their keys for use by most standardized volume encryption tools or libraries.

The second option is that KeyNexus has performed a direct integration with Amazon Linux O/S volume encryption and packaged this as an AMI on the AWS Marketplace. For customers interested in a volume encryption solution that is easy to setup, scale and automate, with external self-managed keys, please see our AWS listing:

KeyNexus HSM Encryption Key Storage and Management

Alternatively, KeyNexus can provide installable libraries for a variety of operating system types if you are interested in this approach to volume encryption but are looking to:

  • use a different variant of Linux or Windows than the KeyNexus AMI presents, or
  • add volume encryption to existing, preconfigured AMIs, or
  • leverage KeyNexus for on-premise or non-AWS-hosted volumes.

KeyNexus On-Demand APIs within AWS

KeyNexus On-Demand APIs enable businesses to store and manage their keys securely on KeyNexus and then programmatically request them from within their cloud-based applications. This enables businesses to architect their own encryption, or other security, use cases for key provisioning within their AWS apps and databases. For more info please see our KeyNexus On-Demand APIs page KeyNexus On-Demand API’s.

Doesn’t AWS offer key management and storage?

Absolutely. In fact, Amazon has two distinct key management/storage solutions, either of which may meet your needs. However, the architectural and business parameters of these two services, vary considerably from the KeyNexus approach.   Let KeyNexus help you assess the right approach for your unique security, environment, and regulatory needs.

Important KeyNexus differentiators between  both  AWS Key Management Service (KMS) and AWS CloudHSM include:

  • AWS CloudHSM imposes steep operating costs and barriers to entry:

    • KeyNexus offers competitive operational costs with a subscription plus per key pricing model versus per HSM pricing and no upfront costs.
    • No HSM setup and maintenance, immediate time to market.  Simple devops front end touchpoints.
    • Universal accessibility and consumption from any cloud, SaaS, mobile or on-premise application environment.  API’s in most common languages. Use KeyNexus for all your key management workflows, not just those on Amazon.
    • Deploy KeyNexus on-premise or in the cloud to meet your security and regulatory requirements. Leverage your on-prem hosted HSMs to protect keys for Amazon-based workloads via KeyNexus.
    • KeyNexus offers dozens of turnkey use cases and integrations, internal and external to AWS.  CloudHSM only supports a few.
    • KeyNexus offers the same FIPS 140-2 SafeNet Luna hardware security modules (HSMs) as CloudHSM.  But with KeyNexus they are quicker, easier, and more affordable to consume with a more feature-rich user experience.
    • Key storage architecture that solves for theoretical risk of government access to physical HSMs.
    • Advanced key management and policy enforcement not found in CloudHSM.
    • Simple, intuitive KeyNexus user interface versus CloudHSM command-line only interface.
  • Amazon KMS is affordable and easy to consume, however:

    • KMS is not backed by FIPS 140-2 compliant hardware, KeyNexus is.
    • KMS is Amazon owned and operated; Amazon has documented that they retain access to your master keys. With KeyNexus you are the sole owner of your keys.  KeyNexus is purposefully architected to ensure neither Amazon, KeyNexus, or the government can access your keys without your permission.
    • Support for a broader array of key/secret types, including customer-defined secrets.
    • Unlike KMS, KeyNexus does not require you to add external users to your AWS security groups.
    • KeyNexus lets you benefit from the value of enterprise-grade, FIPS 140-2 compliant, HSM-based key storage without the CapEx, setup or maintenance.
    • Universal accessibility and consumption from any cloud, SaaS, mobile or on-premise application environment with API’s in most common languages. Use KeyNexus for all your key management workflows, not just those on Amazon.
    • Deploy KeyNexus on-premise or in the cloud to meet your security and regulatory requirements. Leverage your on-prem hosted HSMs to protect keys for Amazon-based workloads via KeyNexus.
    • KeyNexus offers dozens of turnkey use cases and integrations, internal and external to AWS, whereas KMS only supports a few.
    • Key storage architecture that solves for any theoretical risk of government access to managed KMS servers.
    • Advanced key management and policy enforcement not found in KMS.

The Result…

KeyNexus for Amazon Web Services empowers cloud users of all sizes to easily and affordably experience the highest levels of data encryption while still maintaining ownership, control and auditability of keys.  Get all the security and benefits of enterprise encryption appliances without the cost or hassle. KeyNexus continues to integrate popular AWS services so we’d love to hear from you on your interests and priorities.