What is Multi-Cloud Encryption Key Monitoring to Improve Crypto Agility?

Monitoring

Using encryption keys in a multi-cloud environment requires more careful management because key storage locations are distributed. Additionally, key management mechanisms and policies may vary depending on the cloud provider. To understand the location and management status of cryptographic keys, it is necessary to check each cloud's key management services and the services to be encrypted (Figure 2).

Figure 2: Using Key Management Services in Multi-Cloud

It is important to monitor the management of cryptographic keys to prevent improper operations caused by such management complexity.

Crypto-Agility

Crypto agility refers to the design and implementation of systems in such a way that one encryption method can be easily switched to another without major changes to the system infrastructure and processes. This concept is particularly relevant in the context of transitioning to Post-Quantum Cryptography (PQC), which involves the ability to switch between conventional cryptography and PQC as needed.
PQC is a cryptographic algorithm that is resistant to decryption by quantum computers within a realistic timeframe. In August 2024, the National Institute of Standards and Technology (NIST) in the United States published standardization documents for three new PQCs (*3), which is expected to accelerate the transition to PQC. Security authorities in the United States and other countries have recommended improving crypto agility as part of the transition to PQC (Table 1).

• (*3) NIST, NIST Releases First 3 Finalized Post-Quantum Encryption Standards

Table 1: Movement of National Security Authorities on the Transition to PQC

Major public cloud providers are also advancing PQC migrations, with NIST's involvement in PQC standardization and official blog posts highlighting these efforts (Table 2). However, the implementation of PQC in each cloud service product and enhancements to crypto agility are currently limited.

Table 2: Major Public Clouds Moving Forward with PQC Migrations

Enhancing crypto agility involves several strategies, with creating a crypto inventory being a crucial element. A crypto inventory is a system for recording and managing information on the usage of cryptographic algorithms. In a multi-cloud system, it is essential for public cloud providers to migrate all algorithms used in the system to PQC. By creating an inventory in advance, organizations can understand what needs to be migrated to PQC and facilitate a smooth transition.
NTT DATA believes that automating the creation of a crypto inventory in a multi-cloud environment and comprehensively monitoring the cryptographic algorithms used in the system are vital. Consequently, NTT DATA has initiated research and development on a multi-cloud encryption key monitoring system

Required System

Currently, tools for integrated encryption key monitoring in multi-cloud environments are not widely available, making it challenging for users to manage their own encryption keys. Therefore, there is a need for a system that allows users to centrally monitor encryption keys from a single interface (Figure 3).

Figure 3: Image of a Multi-Cloud Encryption Key Monitoring System

What items are required for monitoring?

To implement multi-cloud key monitoring, it is essential to specify general monitoring items. This involves referring to encryption key management guidelines and considering the creation of a crypto inventory.