
What is Multi-Cloud Encryption Key Monitoring to Improve Crypto Agility?
Cloud computing has become an indispensable part of business operations, with the "multi-cloud" approach gaining popularity to optimize usage environments. Effective encryption key management is crucial for securely using data in the cloud, but managing these keys becomes more complex in a multi-cloud setup. Additionally, with the increasing risk of quantum computers decrypting current encryption algorithms, enhancing crypto agility—the ability to quickly adapt encryption methods—is becoming increasingly important. Based on these issues, this paper explains "multi-cloud encryption key monitoring" that NTT DATA is developing.
1. Introduction
The market size of public clouds, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, is expanding year by year (*1), making cloud computing an indispensable part of business operations. In this context, the "multi-cloud" operation mode where multiple cloud services are combined and utilized has become increasingly popular (Figure 1).

Figure 1: Multi-Cloud Environment
Proper management of encryption keys is crucial for securely using data in the cloud (*2). NTT DATA emphasizes the importance of monitoring encryption keys to ensure their proper management. "Encryption key monitoring" refers to tracking the management and usage status of encryption keys. This article discusses the necessity and implementation of multi-cloud encryption key monitoring based on the requirements for effective multi-cloud encryption key management.
2. What is Required for Multi-Cloud Encryption Key Management.
When managing encryption keys in a multi-cloud environment, it is important to monitor and improve crypto agility.
Monitoring
Using encryption keys in a multi-cloud environment requires more careful management because key storage locations are distributed. Additionally, key management mechanisms and policies may vary depending on the cloud provider. To understand the location and management status of cryptographic keys, it is necessary to check each cloud's key management services and the services to be encrypted (Figure 2).

Figure 2: Using Key Management Services in Multi-Cloud
It is important to monitor the management of cryptographic keys to prevent improper operations caused by such management complexity.
Crypto-Agility
Crypto agility refers to the design and implementation of systems in such a way that one encryption method can be easily switched to another without major changes to the system infrastructure and processes. This concept is particularly relevant in the context of transitioning to Post-Quantum Cryptography (PQC), which involves the ability to switch between conventional cryptography and PQC as needed.
PQC is a cryptographic algorithm that is resistant to decryption by quantum computers within a realistic timeframe. In August 2024, the National Institute of Standards and Technology (NIST) in the United States published standardization documents for three new PQCs (*3), which is expected to accelerate the transition to PQC. Security authorities in the United States and other countries have recommended improving crypto agility as part of the transition to PQC (Table 1).

Table 1: Movement of National Security Authorities on the Transition to PQC
Major public cloud providers are also advancing PQC migrations, with NIST's involvement in PQC standardization and official blog posts highlighting these efforts (Table 2). However, the implementation of PQC in each cloud service product and enhancements to crypto agility are currently limited.

Table 2: Major Public Clouds Moving Forward with PQC Migrations
Enhancing crypto agility involves several strategies, with creating a crypto inventory being a crucial element. A crypto inventory is a system for recording and managing information on the usage of cryptographic algorithms. In a multi-cloud system, it is essential for public cloud providers to migrate all algorithms used in the system to PQC. By creating an inventory in advance, organizations can understand what needs to be migrated to PQC and facilitate a smooth transition.
NTT DATA believes that automating the creation of a crypto inventory in a multi-cloud environment and comprehensively monitoring the cryptographic algorithms used in the system are vital. Consequently, NTT DATA has initiated research and development on a multi-cloud encryption key monitoring system
3. Realization of Multi-Cloud Encryption Key Monitoring
Required System
Currently, tools for integrated encryption key monitoring in multi-cloud environments are not widely available, making it challenging for users to manage their own encryption keys. Therefore, there is a need for a system that allows users to centrally monitor encryption keys from a single interface (Figure 3).

Figure 3: Image of a Multi-Cloud Encryption Key Monitoring System
What items are required for monitoring?
To implement multi-cloud key monitoring, it is essential to specify general monitoring items. This involves referring to encryption key management guidelines and considering the creation of a crypto inventory.
Guidelines for Encryption Key Management
NTT DATA refers to the encryption key management guidelines provided by NIST to obtain comprehensive information necessary for encryption key monitoring. NIST SP800-57 Part 1 offers recommendations for using encryption keys (*4). For example, it recommends destroying keys whose encryption period has expired and updating information immediately when the state of a key changes. Keys that do not meet these recommendations pose a risk, and appropriate measures must be taken. Therefore, creating a list of encryption keys to easily verify compliance with these recommendations is necessary.
Creating a Crypto Inventory
As mentioned earlier, creating a crypto inventory is crucial for increasing crypto agility. An inventory helps understand the system's crypto usage and facilitates subsequent activities such as risk assessment and response prioritization. An example of a crypto inventory might look like the following table (Figure 4):

Figure 4: Crypto Inventory Image
Challenges in Creating a Crypto Inventory
Inventory Resources:
- Currently, there is no mainstream method for creating a crypto inventory, and few tools automate the process. Creating the inventory often requires significant effort, including interviewing system administrators, checking design documents, network device settings, server certificates, and client certificates.
Complete Inventory Creation:
- Manual creation of a crypto inventory may not cover 100% of the cryptographic algorithms used in the system, leading to potential omissions. In a multi-cloud environment, the complexity increases due to the combination of multiple clouds with different specifications.
To automate crypto inventory creation in a multi-cloud environment and comprehensively monitor the cryptographic algorithms used, it is necessary to create an encryption key list and maintain key and algorithm information. Based on this, the information necessary for encryption key monitoring is listed below (Figure 5).

Figure 5: Example of Items Required for Monitoring
Automation and Visualization
To implement encryption key monitoring in a multi-cloud environment, consider aggregating logs collected from each cloud to a single location. By detecting changes in key status from key management service logs and encryption target service logs and automatically transferring these logs, users can check real-time information about encryption keys in an integrated manner (Figure 6).

Figure 6: Multi-cloud Encryption Key Monitoring System Image
The aggregated information can be easily checked from a dashboard (Figure 7).

Figure 7: Monitoring Screen Image
Key information is listed, and the status of management and usage is maintained by visualizing the services being encrypted. For example, if a key whose encryption usage period has expired is being used, it is flagged as a risk, and information about the services in use and usage history is displayed.
4. Summary
This article has explained the essentials of multi-cloud encryption key monitoring, focusing on the requirements for effective encryption key management in a multi-cloud environment. NTT DATA is actively researching and developing a system that meets these requirements (*5). By listing information about the usage of cryptographic algorithms, multi-cloud encryption key monitoring fulfills the purpose of creating a crypto inventory. Consequently, we aim to enhance crypto agility and strengthen data security through the effective use of encryption keys.
- (*5) This development was commissioned by "Development of hybrid cloud base technology/Data security technology with robust key management (key management software technology)" (23200711-0) of the New Energy and Industrial Technology Development Organization (NEDO).

Nanaka Seiwa
NTT DATA Group Corporation
Engaged in R&D on domestic key management systems. In particular, work on the development of monitoring technologies for key management in the cloud.

Juri Minami
NTT DATA Group Corporation
Engaged in R&D on domestic key management systems. In particular, work on the investigation and implementation of Post-Quantum Cryptography technology.