Key Exchange and Key Escrow Services (KEES™) is a service offering that helps you manage, migrate, and rotate your cryptographic keys remotely. This service supports organizations with all aspects of the full key management lifecycle as well as offers full or partial key inventory escrow capability. KEES™ is a vital tool for your Cloud strategy implementation.
On demand cloud services for HSMs & key management
Managing cryptographic keys is a challenge for most organizations. Many individuals that perform key management activities perform these on an ad hoc basis with little or no training. In most cases, every required function is an interruption to their normal full-time job responsibilities. Moreover, maintaining cryptographic keys necessitates substantial investment in hardware and supporting application technology that is used infrequently. This infrequent use necessitates regular and costly re-training. Key Exchange and Key Escrow Services (KEES™) gives you the opportunity to leverage our subject matter experts to carry out associated key management responsibilities including secure escrow and on-demand exchange capabilities for your organizations’ cryptographic key inventory. KEES can even provide for remote management of your existing HSM infrastructure.
eKMS as a Service
With the expansion of encryption requirements for any enterprise today, the requirement to maintain a centralized key management utility or team is more necessary than ever before. Still, many organizations struggle to find and dedicate full-time subject matter experts and technologies to manage this growing requirement. KEES key exchange service closes this gap.
By utilizing the KEES eKMS as a Service offering, organizations benefit from our full-time and dedicated staff subject matter expertise for the purposes of key generation, key distribution, key rotation, key escrow, and compliance scope reduction.
eKMS as a Service will manage and perform the full key management lifecycle on your behalf.
HSM as a Service
While the vast majority of organization’s technical infrastructure is migrating to cloud-based services, HSM technology does not lend itself to this strategy quite so easily. The primary purpose of HSM technology is to ensure that cryptographic keys remain protected, not only in storage, but also while in use. Virtual solutions are software by definition, but HSMs are required to be hardware. Moreover, most HSM technology leverages proprietary APIs and rely on externally protected key stores.
The KEES platform is the ideal bridge between hardware requirements and the quest for virtual HSM technology. By leveraging cryptographically segregated relationship structures, the KEES platform extends a simple JSON schema RESTful API for remote access to a dedicated clients protected key store. Connections are supported over TLS 1.2. From there, the KEES platform translates the inbound RESTful API to different proprietary APIs for Utimaco and Atalla HSMs.
HSM as a Service eliminates the requirements of hardware management, offers dramatic compliance scope reduction, and utilizes full-time staff professionals to perform sensitive key management functions.
Remote HSM Management
The KEES Key Management Teams fully equipped to remotely manage your HSM infrastructure. Leveraging the industry-first capabilities for remote HSM management of the Atalla Secure Configuration Assistant (SCA) and new technologies available on the AT1000, our team continues to evolve and adapt to remote technologies being performed by the PCI PIN Certified KEES™ Service, GEOBRIDGE can remotely manage any Atalla HSM environment.
From updating firmware, or adjusting configuration settings, any function organizations would ordinarily employ in their own data center, KEES can augment your staff with subject matter experts to manage this sensitive equipment. With required firmware updates being introduced to the marketplace with greater frequency than ever before, the reliance on a set of untrained volunteers within an organization is no longer a prudent course of action.
Key Escrow
Whether functioning for disaster recovery or legally mandated escrow requirements, any key that has been or is currently used for production purposes must be protected with the same security requirements as a production environment. Most organizations struggle to effectively maintain a full production key inventory, let alone have any degree of confidence in disaster recovery scenarios, that usually remain un-tested. KEES offers a full or partial key inventory escrow capability, fully protected under AES 256 Bit encryption.
Independent of disaster recovery considerations, maintaining a key escrow ensures that an organization is in control of its own keys, without being held captive by any specific manufacturer or technology.
Further, by leveraging a key escrow service, an organization can migrate keys to new wrapping formats such as TR-31, without interrupting production systems.
Need a tailor-made solution for an individual project? Get in touch at hsm@utimaco.com or fill in below contact form.
