What Key Management Services Ensure Data Sovereignty in the Sovereign Cloud?

1. Introduction

In recent years, from the viewpoint of "economic security" to secure national interests, there has been a trend to utilize "sovereign clouds" (*1) for systems that handle critical data. Additionally, heightened geopolitical risks, such as Russia's invasion of Ukraine and the U.S.-China conflict, have intensified cyber-attacks, leading to frequent system outages and leaks of personal and confidential information. Against this background, NTT DATA is working to realize a sovereign cloud.
NTT DATA believes that the sovereign cloud requires the control of three sovereignties: data sovereignty, system sovereignty, and operational sovereignty.

• (*1) What is the sovereign cloud that is attracting attention from the viewpoint of economic security? (Japanese)

Figure 1: Sovereignty to be Controlled in a Sovereign Cloud

The three sovereignties require the following elements:

1. Data sovereignty:

The ability to protect and secure data includes Data encryption/decryption and encryption of data linkage paths. Data processing techniques such as masking and secrecy allow users to define masking and machining. These measures protect against external security threats. Additionally, access control (user control and communication partner control) and integrated operational history monitoring and notification are essential.

2. System sovereignty:

The system does not depend on specific cloud or vendor product specifications, ensuring high portability to other environments (cloud portability). Software can be migrated on-premises or between clouds, and the software architecture can be similarly constructed on-premises or across clouds. Additionally, centralized management of software deployed in multiple cloud environments is supported.

3. Operational sovereignty:

High operational transparency for operators and users is essential. Securing operational leadership within the company and the country, quickly collecting information, and responding to problems are crucial. Making software specifications and source code available to users and ensuring that data is not moved or relocated by cloud providers, are also important. Key management services (KMS/HSM below) are defined as technical elements that realize data sovereignty control from these aspects.

KMS/HSM is described in "3. Proposed Configuration of KMS/HSM in Sovereign Cloud" below.

Figure 2: NTT DATA's Sovereign Cloud

2. Need for Key Management Services KMS/HSM

For systems that handle critical data, the public cloud may be utilized depending on the importance of the data. There may also be cases where services with the agility of the public cloud are desired. In such instances, when "important data" is handled in the public cloud, it is necessary to encrypt it by some means.
Figure 3 illustrates two scenarios: one where encryption keys are generated and managed in the public cloud, and another where keys are generated in the KMS/HSM where sovereignty is controlled. If keys are generated and managed in the public cloud, there is a risk of misuse by malicious operators. Conversely, if keys are generated in the KMS/HSM where sovereignty is controlled, this risk can be mitigated.
Given this context, KMS/HSM is essential as a technological element to achieve control of data sovereignty.

Figure 3: Controllable cryptographic keys

Important data handled by systems is rated from the viewpoint of confidentiality by the Cyber Security Center of the Cabinet (NISC), and we recommend that you refer to it when considering where to store and process data. (*2)

• (*2) Uniform standards for cybersecurity measures by government agencies, etc. (PDF: 771KB)

3. Proposed configuration of KMS/HSM in a sovereign cloud

3-1. Characteristics of KMS and HSM

KMS and HSM are essential for controlling data sovereignty. Both KMS and HSM manage the lifecycle of keys, including generating, deleting, managing, and importing encryption keys. The primary difference is that KMS is often provided as a virtual appliance, while HSM is provided as a hardware appliance. Despite their different forms, both conform to FIPS 140 (Security Requirements for Cryptographic Modules). (*3)

HSM has a security advantage because it is tamper-resistant; data is erased if the housing is opened. On the other hand, KMS offers greater functionality and flexibility, as it interfaces more widely with public clouds and applications than HSM

• (*3) Federal standards published by the National Institute of Standards and Technology (NIST)

Figure 4: Overview of KMS and HSM

3-2. KMS/HSM as the base of trust

Figure 5 shows an example of using KMS/HSM in a sovereign cloud.
This configuration increases the reliability of keys managed by the highly sovereign HSM/KMS, which is placed on the right side of the figure. In addition, the combination of Confidential Computing and multiple technologies such as mTLS provides highly sensitive and highly sovereign data protection across multiple clouds.

Figure 5: Example configuration

4. Conclusion

This article introduces NTT DATA's concept of "data sovereignty" in the sovereign cloud and explains how to use key management services to ensure data sovereignty. Ensuring "data sovereignty" is a critical issue for developers and operators of systems handling critical data. It is necessary to consider and select a configuration that meets the specific requirements of each system. NTT DATA aims to create a system (asset) that can efficiently provide the optimal solution to customer requirements.