Amazon unveils key-management security tool that works on-premise and in the cloud

The new Amazon Web Services Key Management Service (KMS), unveiled Wednesday, promises to let business customers manage their encryption keys for applications and services that run both on-premises and in the Amazon cloud. The new key management feature is now available in all of the AWS regions.

Managing encryption keys is a huge hassle for big enterprises and that means many of them just don’t do the routine maintenance needed to ensure their data is safe, explained [company]Amazon[/company] senior vice president Andrew Jassy during Amazon’s re:Invent 2014 conference in Las Vegas. For example, companies might skimp on regularly rotating their keys to make sure that their applications and services are being freshly encrypted.

Amazon Key Management Service

The service will supposedly make it easy for users to create new encryption keys and set up policy and administrative tasks so the keys can be rotated without a user having to worry about it. For heavily regulated companies, there’s also an audit feature for customers to track who used a particular key to access data and when he or she did so.

From the Amazon blog:
[blockquote person=”Amazon” attribution=”Amazon”]S3, EBS, and Redshift can now encrypt data at rest using keys controlled by AWS Key Management Service. You can choose to use the default (master) keys for each service or you can use AWS Key Management Service to create and manage your own keys. You can define keys for each service, application type, or data classification. The service lets you define which master keys protect your data however you choose to organize it.[/blockquote]

There’s not a whole lot of information available as to how the new service will work for customers with who use their own infrastructure in tandem with AWS, but [company]Amazon[/company] said that the service should work for on-premise environments.

Amazon key usage permissions

Amazon key usage permissions

In one way, it’s another sign of an internal shift at AWS that acknowledges that people want to carry over the way they manage security in their data centers to how they do it in the public cloud.

And as the company rolled out [company]Intuit[/company] on stage during the conference as an example of a hybrid-cloud customer that takes security seriously, it’s clear Amazon’s trying to court more enterprises that have balked at going all in to the public cloud and need some reassurance that their data will be safe if they do. Amazon made sure to say in its blog post that “AWS Key Management Service can even help to address lingering concerns about moving sensitive data to the cloud.”

Prices for the new service start at $1 per key each month, which includes the ability create, use and manage the key.

Conference screen shot courtesy of Jonathan Vanian
Key Management Service picture courtesy of Amazon