Challenge: Protecting Data in the Cloud

Cloud computing and storage have reached unprecedented levels of adoption among enterprises. According to the 2016 Global Encryption Trends Study, a majority of enterprises now send sensitive data to the cloud despite some concerns over security risks, and this trend is expected to continue.

While the cloud offers cost savings, improved agility and other benefits, organizations still must carefully consider the security implications, including such questions as:

  • Are you confident in the security of your critical data, regardless of where it resides in the cloud environment?
  • Can you provide verifiable evidence to auditors that data is maintained in compliance with data protection mandates?
  • In the instance of a breach, how can you be sure the key used to encrypt your data isn’t compromised?

While your cloud service provider may promote its own security capabilities, answering these questions – and ensuring that your data is protected – is ultimately your responsibility.

Risks Associated with Cloud Computing

  • Unauthorized access to your data kept in applications and databases in the cloud environment
  • Failed compliance audits caused by inadequate data protection processes
  • Intercepted transmissions of data from your network to the cloud service provider
  • Exposure of your data resulting from a subpoena of the cloud provider’s records

Solutions: Secure Data Encryption Enabled by Thales

Customers and providers of cloud services increasingly rely on encryption to meet their confidentiality, data integrity and accountability requirements. To be truly effective, your cloud encryption strategy must be backed by strong key management processes that account for and protect keys over their entire lifecycle.

When determining where to maintain your encryption keys you’ll need to consider such factors as:

  • applicable data protection mandates such as PCI-DSS, GDPR, and others;
  • the type and value of the data being protected;
  • your overall risk profile.

Such considerations will help guide whether you store your keys on premise, with the cloud provider, or some combination thereof.

Thales Solutions for Public Cloud Providers

nShield BYOK for Microsoft Azure

When used with Microsoft Azure Key Vault, the Thales nShield HSM lets you to create, manage, and bring your own keys to Microsoft Azure from your own premises – all within the security of a FIPS-certified module.

Vormetric Transparent Encryption for Microsoft Azure

Vormetric Transparent Encryption enables data-at-rest encryption of your data in the Microsoft Azure cloud, privileged user access control and the collection of security intelligence logs without re-engineering applications, databases, or infrastructure.

nShield BYOK for Amazon Web Services

nShield HSMs provide tamper-resistant, FIPS-certified storage and let you bring your own keys to the AWS Key Management Service (KMS), giving you lifecycle control over the encryption keys that protect your sensitive cloud data. With nShield BYOK for AWS, your on-premises nShield HSM generates and manages the keys that are securely exported to AWS on your behalf.

Vormetric Transparent Encryption for Amazon Web Services

With Vormetric Transparent Encryption for AWS, your organization can make use of the flexibility and scalability available from Amazon, while safeguarding intellectual property without a noticeable degradation in performance.

Vormetric Cloud Encryption Gateway for AWS

Part of a cloud security strategy includes ensuring that data is encrypted before it even leaves the enterprise and that they keys are maintained separately from the data. The Vormetric Cloud Encryption Gateway encrypts sensitive data before it is saved to Amazon Simple Storage Services (S3). Data never leaves the enterprise unencrypted or unaccounted for, while the encryption keys remain securely your customer premises.

Thales Solutions for Software as a Service Providers

Vormetric KMaaS for Salesforce Shield

Vormetric Key Management as a Service (KMaaS) integrates with Salesforce Shield’s BYOK feature and allows customers to generate and maintain their encryption keys on premise, providing complete control over your encryption keys and helping ensure compliance with data protection and data residency requirements.

Thales is developing relationships with other SaaS providers to assist in encrypting sensitive data and enabling customers to bring their own keys to enhance regulatory compliance.

Managed Service Providers

Vormetric Transparent Encryption Services

Thales partners with many Managed Service, IaaS, PaaS, Application Service, and Hosting providers, who offer Vormetric Transparent Encryption services to their customers. Some offer each customer access to their domain of the multi-tenant Vormetric Data Security Manager; others provide a completely managed encryption service. Lower-level providers, such as co-location providers, enable their customers to bring their own encryption to their cages. In these environments, customers typically retain their Vormetric Data Security Manager on their own premises for safety, and manage Transparent Encryption Agents encrypting data in the cloud.

nShield Hosted Services

Thales has partnered with numerous Managed Service Providers that offer hosted PKI and private cloud services underpinned by Thales nShield HSMs. The nShield offers MSPs’ customers FIPS 140-2 Level 3 protection for their most sensitive root and CA private keys, as well as a secure runtime environment. The nShield’s remote management capabilities and support for high transaction volumes provide MSPs a competitive advantage over other alternatives.

Docker Environments

Vormetric Transparent Encryption Docker Extension enables enterprises deploying production applications to Docker environments in the cloud to safely use sensitive and regulated data. Data encryption, access control and data access audit logging protect information stored within Docker containers, and on external storage accessed by Docker. Policies allow easy isolation of data on a container by container basis, preventing cross container exposure. To meet compliance and best practice requirements, encryption keys and policies can be safely managed remotely, from the enterprise’s data center.


  • Reduce the risk of data breaches and notification requirements, even if your cloud service provider suffers an attack
  • Comply with the data protection mandates found in regulations and standards such as PCI-DSS, HIPAA and others
  • Safeguard encryption keys separately from encrypted data, improving your security and compliance posture
  • Defend against attacks by limiting access to protected systems and data to only authorized users and devices
  • Secure the most sensitive keys and business processes in the organization in an independently-certified, tamper-resistant environment
  • Obtain auditable evidence of the integrity and confidentiality of your cloud data
  • Reduce the likelihood of your data being exposed due to a subpoena of the cloud service provider’s records