Key Management Service (KMS) is suitable for various scenarios. This topic describes the common scenarios in which KMS can be used.
Scenarios
Scenario | Role | Demand | Description |
Chief risk officer (CRO) | Ensure the security and compliance of information systems. | A CRO wants IT systems to meet the following requirements of information system security:
| |
IT system builder | Ensure the security of sensitive data in applications. | At the request of IT security departments, an IT system builder needs to encrypt and protect sensitive business data and operational data in applications. KMS significantly reduces costs compared with self-built key management facilities and encryption and decryption facilities. | |
Independent software vendor (ISV) | Ensure the security of secrets. Users do not want secrets to be exposed to ISVs. | The services that are provided by ISVs need to use the secrets of users. However, the users do not want secrets to be exposed to the ISVs. ISVs can introduce KMS as a third-party secret management solution. |
Security compliance requirements of information systems
Enterprises or organizations may encounter the following scenarios when they evaluate the security compliance requirements for information systems:
Security regulations require that enterprises or organizations must use cryptographic techniques to protect information systems, and the cryptographic techniques and key management facilities must comply with related technical standards and security regulations.
Security regulations do not require the use of cryptographic techniques, but the use of cryptographic techniques can speed up the process of security compliance. For example, the use of cryptographic techniques can help you obtain higher scores in scoring-based approaches.
The following table describes the features that are provided by KMS to help enterprises meet security compliance requirements.
Feature | Description | References |
Cryptographic compliance | You can connect your hardware security module (HSM) clusters in Data Encryption Service to KMS to manage keys and perform cryptographic operations. The hardware-protected key that is used during cryptographic operations must be stored in an HSM cluster. KMS supports common cryptographic algorithms for hardware-protected key and operations, such as data encryption, and digital signature (signing and verification). Note HSMs that are provided by Data Encryption Service meet the compliance requirements specified by Federal Information Processing Standard (FIPS) Publication 140-2 Level 3. | |
Secrets management | Secrets Manager allows you to easily manage secrets such as AccessKey pairs of Resource Access Management (RAM) users, passwords for ApsaraDB RDS accounts, and SSH keys of Elastic Compute Service (ECS) instances. Secrets Manager also allows you to handle data leaks in an efficient and reliable manner. | |
Data confidentiality | KMS allows you to encrypt data to ensure data confidentiality. This helps you prevent data leaks when your system is attacked and meet the requirements of laws and regulations that are related to data protection. | |
Authentication and access control | KMS is integrated with RAM to implement centralized authentication and authorization. KMS Instance supports access from only IP addresses in a virtual private cloud (VPC) and also provides application-level authentication and authorization management by using application access points (AAPs). | |
Key audit | KMS stores all API call records in ActionTrail, which allows you to perform compliance audits on keys. You can enable security audit for KMS instances and store all call records of KMS Instance API to a specified Object Storage Service (OSS) bucket. |
Sensitive data encryption
You can use data encryption techniques to protect sensitive data that is generated or stored on the cloud. Alibaba Cloud provides multiple methods to encrypt and protect sensitive data.
Encryption method | Demand | Description | References |
Direct encryption of data in application systems by using KMS | The sensitive data in application systems is protected by using encryption technologies. If the encryption and decryption of sensitive data do not require high queries per second (QPS) or the data size does not exceed 6 KB, you can use this method. For example, you can use this method to encrypt sensitive data such as AccessKey pairs and usernames and passwords that are used to access databases. | Call the encryption API operation of KMS to directly encrypt sensitive data by using keys. | |
Envelope encryption of data in application systems by using KMS | The sensitive data in application systems is protected by using encryption technologies. If the encryption and decryption of sensitive data require high QPS or the data size is large, you can use this method. For example, you can use this method to encrypt sensitive data such as mobile phone numbers and ID card numbers. | Envelope encryption stores your customer master keys (CMKs) in KMS. You need to only deploy enveloped data keys (EDKs). You can use KMS to decrypt the EDKs and use the returned plaintext data keys (DKs) to encrypt or decrypt your local business data. You can also use Encryption SDK in which envelope encryption is encapsulated to encrypt data. | |
Server-side encryption of cloud services | Basic assurance is provided for the environment of IT facilities in the cloud to ensure data security. For example, you can perform server-side encryption on OSS to protect buckets that store sensitive data or use transparent data encryption (TDE) to protect tables that contain sensitive data. | If you use Alibaba Cloud services to store data, you can use server-side encryption to encrypt and protect the data in an effective manner. | |
Secrets Manager | Secrets Manager allows you to manage the lifecycle of your secrets and allows your applications to use secrets in a secure and efficient manner. This helps prevent sensitive data leaks that are caused by hardcoded secrets in code. For example, you can host sensitive data such as passwords, tokens, SSH keys, and AccessKey pairs in Secrets Manager and manage the data in a secure manner. | You can host your credentials of sensitive data in Secrets Manager and use application-level security access mechanisms to ensure secure access to the sensitive data. You can also dynamically rotate secrets to prevent data leaks. |
Third-party secret management solution
Users can manage secrets in KMS and authorize services of ISVs to use these secrets. KMS acts as a third-party security protection system between the services of ISVs and the users. The users and the ISVs can work together to ensure system security.
Role | Description | References |
User administrator | Manages secrets in KMS. The user administrator can use RAM to manage the permissions on secrets. The user administrator can allow ISVs to use specified secrets in KMS based on methods such as resource authorization across Alibaba Cloud accounts. | Use a RAM role to grant permissions across Alibaba Cloud accounts |
Service of ISVs | Integrates KMS API to use specified secrets. | |
User auditor | Uses ActionTrail to audit the usage records of keys in KMS. |