Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

CCKM Administration

Overview

search

Please Note:

Overview

CipherTrust Cloud Key Manager (CCKM, also referred to as CCKM Embedded) centralizes the management of key life cycle for various cloud services providers. The CCKM complies with data security mandates in cloud storage environments while retaining the custodianship of the encryption keys. Enterprises can back up keys on-premise, destroy keys when no longer needed, and manage the entire life cycle of the cloud keys.

The following diagram shows the high level CCKM overview:

CCKM Components

The CCKM solution comprises the following components:

  • CCKM GUI on the CipherTrust Manager for administrators and users

  • At least one of the supported clouds

  • A supported trusted key source

  • A supported Internet browser

The product is delivered as a licensed component of the CipherTrust Manager appliance that can be installed on any one of the supported deployment methods.

Supported Clouds

  • AWS China

  • AWS GovCloud

  • Azure Cloud

  • Azure Germany Cloud

  • Azure China Cloud

  • Azure US Government

AWS China cloud does not support uploading 256-bit keys. It supports upload of 128-bit keys only. Current GUI supports creation and listing of 256-bit keys only. So, upload 128-bit keys to the AWS China cloud using the CCKM AWS APIs.

AWS China cloud does not support creation of native asymmetric keys.

Supported Cloud Services

  • AWS Customer Managed CMKs

  • Azure Cloud BYOK

  • Azure Stack (Azure Active Directory, Azure AD)

  • Azure Stack (Active Directory Federation Services, AD FS)

  • Google Workspace Client Side Encryption (CSE)

  • Google Cloud Customer-Managed Encryption Keys (CMEK)

  • Google Cloud External Key Manager (EKM)

Supported Key Sources

CCKM uses the following as the trusted key sources for the encryption keys employed within the supported clouds:

  • CipherTrust Manager

  • Luna Network HSM (referred to as Luna HSM in this document): This release supports:

    • Luna Network HSM Software and Firmware versions v7.3.x and higher.

    • PED and Password-based HSM configurations.

    • Import of RSA-4096 keys from Luna HSM Software and Firmware versions 7.4.x and higher.

    • Only asymmetric keys with Luna HSM.

  • Data Security Manager (DSM): This release supports DSM v6.4 Cumulative Patch 3 and higher.

The CipherTrust Manager supports all clouds that CCKM supports. The CipherTrust Manager stores its own keys and the backup keys from the supported clouds.

On the CipherTrust Manager, CCKM cannot manage source keys created on the CCKM Appliance v1.x.

Supported Deployment Methods

The CCKM is delivered as part of the CipherTrust Manager appliance. So, CCKM can be automatically deployed with the deployment of the CipherTrust Manager in the following supported environments:

  • Amazon Web Services

  • Google Cloud Platform

  • Microsoft Azure

  • Oracle Cloud

  • Private Clouds - Oracle VMware vSphere, Microsoft Hyper-V, and OpenStack

  • Physical Appliances

Refer to the CipherTrust Manager Deployment Guide for the complete list of supported environments and deployment instructions.

Supported Internet Browsers

The CCKM supports the following Internet browsers:

  • Chrome 51.0.2704 (64-bit) or later

  • Firefox 45.0 or later

  • Internet Explorer 11 or later

  • Microsoft Edge 91.0.864.37 or later

CCKM Functionality

The CCKM provides following functionalities for the supported cloud services:

  • Life cycle management of keys, key versions, and attributes:

    • View Keys

    • Update Keys

    • Upload Keys

    • Rotate Keys

    • Delete Keys

  • Disaster recovery of keys:

    • Backup Keys

    • Restore Keys

  • Hybrid key management:

    • On-premise keys storage

    • Management of both keys originating from trusted key sources and cloud-provider-sourced keys

    • Key synchronization

  • Compliance management:

    • On-premise key storage with FIPS 140-2 Level 3 certification

    • Key storage in public or private clouds, inaccessible to cloud services with FIPS 140-2 Level 1

  • Key visibility reporting:

    • Key Activity Report: Inspect individual key histories by operations, for example, when they were refreshed, rotated, edited, or deleted. Also, use this report to compare key activities between CCKM and a cloud service.

    • Key Aging Report: Track keys by their expiration dates. Audit a range of dates, from past material deletions to future scheduled deletions, within a cloud service.

    • Service/Usage Report: Monitor key usage by tracking services and applications consuming the keys. View when and where a service requests the use of each key.

    Reporting is not supported for the Azure Stack cloud.

User Roles

CCKM has the following users with different responsibilities in administering and using the resources of supported clouds and key sources.

CCKM Admins

There is a System Defined Group named "CCKM Admins". Users within the "CCKM Admins" group are CCKM Administrators. Additionally, the CCKM administrators need the Key Users, Connection Admins, and User Admins permissions to perform key operations on the supported clouds.

A CCKM Administrator is responsible for creating and managing the following resources:

  • AWS KMS Accounts, AWS Keys

  • Azure Key Vaults, Azure Subscriptions, and Azure Keys

  • Luna HSM Partitions, Luna Keys

  • DSM Domains, DSM Keys

  • Google Cloud Projects, Key Rings, and Keys

  • Google EKM endpoints

  • CCKM Schedules

  • CCKM Reports

CCKM Users

There is a System Defined Group named "CCKM Users". CCKM users registered with the CipherTrust Manager are part of this group. Additionally, the CCKM users need the Key Users permissions to perform key operations on the supported clouds.

Proxy Configuration

If you plan to run the CipherTrust Manager appliance behind a proxy, you must configure the proxy, as described in Proxy Configuration.

For the list of URLs to be whitelisted, refer to URLs to Whitelist for Running CipherTrust Manager Behind Proxy.

Now, you should be able to connect CCKM with the cloud through the proxy.

URLs to Whitelist for Running CipherTrust Manager Behind Proxy

The following URLs must be whitelisted before you run the CipherTrust Manager behind a proxy.

Amazon Web Services

  • ec2.amazonaws.com (to fetch AWS regions)

  • ec2.us-east-1.amazonaws.com (to fetch AWS regions)

  • iam.amazonaws.com

  • sts.amazonaws.com

  • kms.<region-name>.amazonaws.com

  • logs.<region-name>.amazonaws.com

AWS GovCloud

  • ec2.amazonaws.com (to fetch AWS regions)

  • ec2.us-gov-east-1.amazonaws.com (to fetch AWS regions)

  • iam.amazonaws.com

  • sts.us-gov-east-1.amazonaws.com

  • kms.<region-name>.amazonaws.com

  • logs.<region-name>.amazonaws.com

AWS China Cloud

  • ec2.amazonaws.com.cn (to fetch AWS regions)

  • ec2.cn-north-1.amazonaws.com.cn (to fetch AWS regions)

  • iam.amazonaws.com.cn

  • sts.cn-north-1.amazonaws.com.cn

  • kms.<region-name>.amazonaws.com.cn

  • logs.<region-name>.amazonaws.com.cn

Azure Public Cloud

  • management.azure.com

  • login.microsoftonline.com

  • vault.azure.net

  • graph.windows.net

  • graph.windows.net

  • vault.azure.net

  • api.loganalytics.io

Azure US Gov Cloud

  • management.core.usgovcloudapi.net

  • management.usgovcloudapi.net

  • login.microsoftonline.us

  • vault.usgovcloudapi.net

  • graph.windows.net

  • api.loganalytics.us

Azure China Cloud

  • management.core.chinacloudapi.cn

  • management.chinacloudapi.cn

  • login.chinacloudapi.cn

  • vault.azure.cn

  • graph.chinacloudapi.cn

Azure Germany Cloud

  • management.core.cloudapi.de

  • management.microsoftazure.de

  • login.microsoftonline.de

  • vault.microsoftazure.de

  • graph.cloudapi.de

Google Cloud CMEK

  • https://accounts.google.com

  • https://iam.googleapis.com

  • https://www.googleapis.com

  • https://oauth2.googleapis.com

  • https://cloudresourcemanager.googleapis.com

  • https://cloudkms.googleapis.com

  • https://logging.googleapis.com