Watch our webinar on-demand to find out more about cryptographic architecture in the cloud:
For transparency and to preserve the original spirit of the questions, we have not edited any of them. The questions were answered by Paolo Basilio, Global Head of Practice at Foregenix and Adam Cason, VP, Global and Strategic Alliances at Futurex.
I have not seen any such cases. Generally, each entity manages their own sets of keys and organisations that need to share encrypted data with each other will share a unique symmetric key between them, each having the responsibility to safeguard the copy of that key or its components that the entities handle. I've also see cases where asymmetric cryptography was used where each entity had their own private/public key pairs signed by a certificate authority and each entity shared their public key with the other for the encryption and transmission of keys/data.
I would say that it is always best for an organisation to manage and control their own master keys given that these keys are generally used to encrypt all other keys which encrypt data and outsourcing that responsibility to a third party would put the security of that data in the hands of a third party. That being said, one would have to understand the particular circumstances in which the example in the question applies.
It will be difficult to completely migrate away from managing key components on some level when it comes to key management for HSM infrastructure. However, to answer the question, it would be prudent to still allocate responsibility for managing and initiating key management activities, be it a key exchange or sharing of public keys or any type of processes that may be part of and potentially impact the security of the cryptographic architecture. The allocation of this responsibility will not need to be as sensitive as when assigning key custodians for handling key components but responsibility should be documented and defined.
Great question, by its nature, cloud processing means in many cases that data would be distributed across multiple geographies and even internationally which would make it difficult to meet such a requirement. Nevertheless, even within the same country, and spread across different parts of the country, distributed key management and HSM infrastructure still requires more efficient operations and would benefit from improved solutions.
When you're looking at a cloud payment HSM infrastructure in particular, it's important to talk to your provider about any data residency requirements you must abide by. That can help you make the decision about whether you are able to take a full-cloud approach, require a hybrid environment (with assurances that your cloud HSMs are housed in an in-country datacentre), or need to stick with a fully on-premises approach.
Currently there are no guidelines for assessing controls at an employee’s home and due to the nature of the current industry requirements associated with key management such as dual-control, it would be difficult to have scenarios where this sort of scenario exists and an entity meets compliance requirements. It is likely that better solutions would be developed for this problem which would alleviate the need for custodians to have to store key material or cryptographic hardware at their private residence. This could be in the form of an encrypted key store or other practical solutions for scenarios where components are still in use. We will have to wait and see how the industry standards evolve to cater for an increasingly 'work from home' environment.
Key components would need to be transmitted in authenticable, opaque, tamper-evident packaging or encrypted with a key of equal or greater strength when transmitted in accordance with industry standards and once these are received by the Futurex custodians, they will be received stored and loaded in accordance with these standards as well. Futurex are audited regularly against PCI PIN, PCI P2PE and various other industry standards.
PTS approval pertains to physical cryptographic devices and therefore these devices can already be used in cloud environments. In terms of P2PE Solutions, there are already some service providers such as Futurex's 'VirtuCrypt' who have a P2PE certified decryption environment listing with a service offered through AWS and Azure.
We hope the answers to the questions above have helped you learn more about cryptographic architectures. For more information download our Crypto Practice datasheet.
If you have any other questions or would like to have a conversation feel free to email us at email@example.com.