Key Management Service (KMS) boasts the following advantages over traditional key management infrastructure (KMI): integration with multiple services, ease of use, high reliability, and cost-effectiveness.
Integration with multiple services
Authentication and access control
KMS authenticates requests by using identity authentication mechanisms such as AccessKey pairs. In addition, KMS is integrated with Resource Access Management (RAM), which allows you to configure identity-based and resource-based policies to meet the requirements in different authorization scenarios. KMS accepts only requests that are initiated by authorized users and pass the dynamic permission checks of RAM. For more information, see Access control.
Auditing of key usage
KMS is integrated with ActionTrail and Simple Log Service (SLS). This allows you to view recent KMS usage and store KMS usage information in other Alibaba Cloud services, such as Object Storage Service (OSS), to meet audit requirements in the long term. For more information, see Use ActionTrail to query KMS event logs and Overview of Simple Log Service for KMS.
Data encryption for integrated services
KMS is integrated with multiple Alibaba Cloud services such as Elastic Compute Service (ECS), ApsaraDB RDS, and OSS. You can use keys in KMS to encrypt and control data of the integrated services in an efficient manner. You need to only manage the keys instead of performing complex encryption operations. In addition, KMS also protects native data of the integrated services. For more information, see Overview of integration with KMS and Alibaba Cloud services that can be integrated with KMS.
Ease of use
Automatic key rotation
KMS provides the automatic key rotation feature. You do not need to manually update keys, which enhances security and reduces management efforts.
Simple implementation
KMS provides cryptographic API operations that enable you to encrypt and decrypt data in a simplified manner, which frees you from complicated and abstract cryptography.
Cross-virtual private cloud (VPC) access
KMS allows you to associate multiple VPCs with a KMS instance. Users can perform data encryption and decryption across VPCs.
Bring Your Own Key (BYOK)
KMS supports the BYOK feature. You can import keys to KMS from external systems such as on-premises KMI. Then, you can use the keys to encrypt data in Alibaba Cloud services or use the keys for your self-managed applications and systems.
NoteKMS adopts secure and compliant key exchange algorithms to ensure that operators or third parties cannot view keys in plaintext.
High reliability, availability, and scalability
High reliability
KMS supports multi-zone deployment, which helps prevent single points of failure (SPOFs).
KMS regularly backs up keys, secrets, and related data to ensure fast recovery upon faults.
High availability
KMS delivers redundant cryptographic computing capabilities across multiple zones and load balancing to achieve minute-level recovery time objective (RTO). KMS instances use dual-zone deployment to ensure active-active compute instances across zones for optimal resource use and high service availability. This ensures that Alibaba Cloud services and your self-managed applications can send requests to KMS at low latencies.
KMS instances support the queries per second (QPS) specifications of 2,000 and 4,000. When a large number of concurrent requests are sent, KMS instances can still provide services.
Scalability
You can upgrade specifications of KMS based on your business requirements.
In the following example, the dual-zone deployment is used. Your service applications are deployed in VPC_1 and VPC_2. Your KMS instance is deployed in VPC_1 and associated with VPC_2. The following figure shows the KMS architecture.
Security and compliance
KMS offers high-level protection for your keys. The security design and strict verification processes are implemented during the development of KMS.
Keys are managed by your exclusive instance and not shared with other tenants to enhance data security.
KMS provides only TLS-based secure channels for access and uses only secure cipher suites for transmission. KMS complies with security standards such as Payment Card Industry Data Security Standard (PCI DSS).
KMS supports cryptographic facilities that are verified and certified by regulators. Cloud Hardware Security Module of Alibaba Cloud offers hardware security modules (HSMs) that comply with Federal Information Processing Standard (FIPS) Publication 140-2 Level 3. You can integrate KMS with Cloud Hardware Security Module of Alibaba Cloud. This way, you can use the clusters of HSMs that are deployed in Cloud Hardware Security Module to manage keys and perform cryptographic operations. For more information about Cloud Hardware Security Module, see What is Data Encryption Service?
Cost-effectiveness
You do not need to invest in hardware cryptographic devices, such as the purchase, operations, repair, and replacement of hardware cryptographic devices.
If you use KMS, you do not need to deploy highly available and reliable HSM clusters or pay for R&D and maintenance for self-managed KMI.
KMS is integrated with other Alibaba Cloud services to eliminate the R&D overheads of a data encryption system. You need to only manage keys to achieve controllable data encryption on the cloud.