Data Sovereignty in AWS Cloud Offering--Thales and Capgemini

"CipherTrust Cloud Key Manager platform and Managed Services Thales, AWS and Capgemini have collaborated to combine advanced managed services around key manageement, creating an innovative, versatile, feature-rich implementation service, supporting customers with choices in managing their keys. The collaboration extends the existing key management ownership model of Bring Your Own Key (BYOK) with a Hold Your Own Key (HYOK) offer. With external key store and Thales CipherTrust Cloud Key Manager (CCKM), customers can now choose to have data protected with keys physically located outside of AWS Cloud. The externally stored keys are only accessible via explicit customer authorization. External key store supports 100s of AWS services already integrated with AWS KMS. Gain Strong Key Control and Security External key store enables customers to separate key management from AWS controlled encryption, offering a crucial layer of separation of duty and control. Thales CCKM delivers key generation, reporting, and key lifecycle management that help fulfill internal and industry data protection mandates, with optional FIPS 140-2-certified hardware. Increased Efficiency Thales CCKM centralizes encryption key management from multiple environments, presenting all supported clouds, and even multiple cloud accounts, in a single pane of glass. Advanced cloud key management services and capabilities include automated key rotation, key expiration handling, and cloud key vault synchronization — dramatically reducing the time required for cloud key life cycle management. Integrates With Your Automation Initiatives CCKM capabilities are available programmatically using RESTful APIs, enabling DevOps and IT teams the power of centralized cloud encryption management to work with the organization’s automation and self-service initiatives.

How it Works External key store is an option within AWS KMS. Once an externally managed key is linked to a KMS key ID using XKS, the externally managed key can be used to protect data in any of the AWS services that integrate with AWS KMS. External key stores let you control data sovereignty. Data Encryption Keys (DEK) encrypted under KMS keys in the External key store can be decrypted only in the Thales CCKM under your control. When you revoke access to CCKM, by blocking the key or disconnecting the external key store, workloads running in AWS lose all access to your encryption keys, and data encrypted under your keys cannot be decrypted; it is crypto-shredded. "