AWS Launches External Encryption Key Storage to Forestall Imminent European Regulation and Get Ahead in the -as-a-Service Play

During its annual re:Invent conference in November 2022, Amazon Web Services (AWS) launched External Key Store (XKS), an external encryption key storage solution as part of its Key Management Service (KMS) offering. This new addition allows for encryption keys used to protect AWS services to be stored and managed altogether outside of the AWS infrastructure, in an external database of the client’s choosing. This was not a feature previously possible; in fact, all key material used for AWS services had to be issued and managed by AWS KMS and stored inside the AWS infrastructure. Now it will be possible to store the keys outside of AWS in a third-party or customer solution.

AWS XKS comes at an opportune time for the encryption key management market. Hyperscalers like AWS have long had their own KMS offerings for clients using their cloud services. But these were siloed offerings—clients could not use external KMS services and the cloud-issued keys could not be used for other cloud-based services, not even with a clients’ on-premises assets. As such, a client would have to subscribe to the cloud KMS service to protect in-cloud assets and a separate KMS for all no-cloud assets. If clients used several cloud solutions, they would need to sign up to each provider’s respective KMS. Although it was possible for clients to Bring-Your-Own-Key (BYOK) material to the cloud, they were still locked into using the dedicated cloud KMS service for management.

By opening up its KMS capabilities and allowing clients to Hold-Your-Own-Key (HYOK), AWS allows for more flexibility in key management, and breaks down the challenges (including the cost and complexity) of managing various encryption keys and storing them in different places, all the while ensuring AWS KMS retains the primary role for protecting AWS services.

It is also a strategic play; XKS allows AWS to expand into new markets where cloud-based key storge is simply not possible, either due to regulation or to the sensitivity of the business being run or simply due to sovereign controls demands. With regards to the latter, the European Market is a good example, where extraterritorial concerns such as US government overreach or data protection regulation (such as GDPR and Schrems II) is curbing potential cloud adoption (notably from US providers) in the EU. The latest issues are with the US Cloud Act, which could allow data stored in European clouds to be accessible to the US government. In theory, by allowing external key storage, AWS could alleviate security concerns, in that even if the data were accessed by non-EU governments, it would not be decryptable as the key material would reside elsewhere.

In terms of regulated markets, AWS XKS will be of interest to those of a critical infrastructure nature, such as banking and telecoms. The open banking and fintech movement is increasingly looking to leverage cloud-based services, but stringent regulation on cybersecurity means that many cloud services fall short of many financial compliance requirements. Similarly for telecoms, the advent of OpenRAN and cloud-supported 5G networks will not be fully realized unless certain cybersecurity guarantees are met first. For both these sectors, the oversight and control of encryption key material is a critical issue, and cannot readily be outsourced to third parties, even cloud providers. As such, the availability of XKS can allow these target markets to fully embrace cloud capabilities, while retaining control of critical security assets like encryption keys.

The AWS XKS announcement was accompanied by press releases from various KMS and Hardware Security Module (HSM) providers. Thales launched a CipherTrust Cloud Key Manager integration with XKS, and Fortanix announced that its Data Security Manager would work with XKS as well. Entrust's latest key management offering, KeyControl 10, is also compatible with XKS. These announcements seek to tap into the sovereign control and regulatory concerns, primarily in the EU. This may be a necessary de-siloing for AWS, not just in relation to current regulation, but also as European Union Agency for Cybersecurity (ENISA) is developing a European-wide cybersecurity certification scheme for cloud services, which is likely to introduce stringent measures for cloud providers in Europe. By partnering with security leaders, the firm ensures that key management remains in control of vetted and trusted third parties that can offer the highest standard in terms of KMS.

Beyond that, however, the move is one which underpins the opening up of the encryption market. Service-based propositions for encryption key management, whether KMS or Public Key Infrastructures (PKI), are a growing trend, with demands for flexibility and simplicity in environments that are increasingly hybrid in nature, and therefore complex to manage.

For the more traditional KMS providers, the ability to integrate with AWS KMS is significant, not least because of the inroads AWS is making in supporting critical infrastructures in their digital transformation, from banking and telecom to government and defense. Partnering with the likes of AWS, and other hyperscalers, is a way to tap into the service demands of these markets, while enabling them to retain control of security assets through their own chosen solutions. While there will still be continued demand for traditional KMS, PKI, and HSM, the market is decidedly moving to an as-a-Service model to capture new opportunities. For traditional security vendors, partnerships with cloud providers are one way to capture part of that market evolution, while promoting their expertise in encryption technologies that seamlessly integrate with cloud migration strategies.