Security + Simplicity

60% had diffuclty to manage keys in the public cloud via BYOK

GLOBAL ENCRYPTION TRENDS STUDY 2020 - PONEMON INSTITUTE

Key management as service

 Cloud service providers as well as users of cloud services are increasingly concerned about data protection and look for client-side encryption. However, no pure cloud based solution with true cryptographic security exists.  We offer a novel a solution based on so- called Multi-Party Computation (MPC) protocols tailored to key management

How painful is key management?

Managing keys is painful

According to Ponemon institute, 60% of respondents rate key management as very painful, which suggests respondents view managing keys as a very challenging activity. The highest percentage pain threshold of 67 percent occurs in Germany. At 38 percent, the lowest pain level occurs in France. No clear ownership and lack of skilled personnel are the primary reasons why key management is painful

Keys shall not be visible in clear

Even keys stored only in server memory could be vulnerable to compromise. Where the value of the data demands it, keys should be encrypted whenever stored and only be made available in unencrypted form within a secure, tamper-protected environment and even (in extreme cases) kept offline.

Rogue employee or Admin

The most significant threats to the exposure of sensitive or confidential data are employee mistakes. In contrast, the least significant threats to the exposure of sensitive or confidential data include government eavesdropping and lawful data requests. Concerns over inadvertent exposure (employee mistakes and system malfunction) significantly outweigh concerns over actual attacks by temporary or contract workers and malicious insiders

Hacking encryption keys

A key is essentially just a random number – the longer and more random it is, the more difficult it is to break it. The strength of the key should be appropriate for the value of the data it is protecting and the period of time for which it needs to be protected. The key should be long enough for its intended purpose and generated using a high-quality (ideally certified) random number generator (RNG), ideally collecting entropy from a suitable hardware noise source. There are many instances where poor RNG implementation has resulted in key vulnerabilities

Compliance risk increase

Companies that currently transfer sensitive or confidential data to the cloud are much more likely to hold the cloud provider primarily responsible for data protection. In contrast, companies that do not transfer sensitive or confidential information to the cloud are more likely to hold the cloud consumer with primary responsibility for data protection.

Insecure movement of keys

It is often necessary to move a key between systems. This should be accomplished by encrypting (“wrapping”) the key under a pre-shared transport key (a key-encryption key, or KEK), which may be either symmetric or asymmetric. Where this is not possible (e.g. when sharing symmetric transport keys to bootstrap the system), the key should be split into multiple components that must then be kept separate until being re-entered into the target system (and then the components are destroyed)

Easy to get started with DuoKey KMS

Key Management as Service

Automatic Key Rotation

Monitoring Key Usage

Role Based Access Control

Deployment model

On-premise

DuoKey KMS can be installed on-premise using our terraform software-defined script or docker deployement. Minimum of 3 dockers are required for running our MPC node withtin your infrastructure. We provide unmatched cryptographic key security and operational agility by utilizing a containerized software approach. Cryptographic Keys are generated across multiple MPC key servers collectively referred to as a Threshold Security Module (TSM). The TSM provides cryptographic key management functions across different trust domains (CSPs, or private DCs) and at no time is the entire key present on any single server.

SaaS

DuoKey Key Management simplifies multi-cloud deployment by eliminating the need for a mix of cloud and local HSM services, or some other on-premises encryption management solution. Companies will benefit from the simplicity and scalability of a pure-software, cloud-based Key Management-as-a- Service (KMaaS). KMaaS allows the management of customer owned encryption keys (also known as Bring Your Own Key - BYOK) across multiple CSPs, without requiring a KMS for each cloud service. DuoKey offers the added benefit of being available on any number of CSPs – not just Amazon S3, but Microsoft’s Azure, Rackspace and others.

Hold your own Keys

There is a risk that rogue administrators working at cloud service providers accessing customer data or keys with the intent to misuse the data. With DuoKey you keep dual control of your encryption keys while protecting sensitive document stored in the cloud. Efficient and secure key management is a challenge for any cryptographic system. Going beyond basic key management services, the system must protect the cryptographic keys against many evolving types of attacks which exploit brute force tactics, side-channel vulnerabilities, physical access of the system, weak encryption, replay attacks, and countless variants. Therefore, the secure management of private keys is one of the most critical functions of the cryptographic system and no infrastructure is secure if the private
keys are not secure.

Multi-Cloud Key Management

DuoKey Key Management is the industry’s first true cloud-native key management system. It utilizes patented technology and Multiparty Computation (MPC) to provide cryptographic key management with security equivalent to an HSM, with high-availability in a pure-cloud fashion.

It delivers keys to any cloud service, requires no trust in any service provider, and enables total key immunity against malicious actors, side-channel attacks, state-nation hacking, and unlawful or unauthorized key access.

Multi-Party Computation

MPC (Multi-party computation) is an innovative way to reduce complexity to store sensitive key material in one place and eliminate the concept of private keys. Every encryption is performed in a secure, distributed way to protect against cyber breaches, physical damage, and insider collusion.

DuoKey Key Management provides unmatched cryptographic key security and operational agility by utilizing a containerized software approach. Cryptographic Keys are generated across multiple MPC key servers collectively referred to as a Threshold Security Module (TSM). The TSM provides cryptographic key management functions across different trust domains (CSPs, or private DCs) and at no time is the entire key present on any single server.