While cloud computing offers many advantages, a major disadvantage has been security, because data physically resides with the cloud service provider (CSP) and out of the direct control of the owner of the data. For enterprises that elect to use encryption to protect their data, securing their encryption keys is of paramount importance.Bring Your Own Key (BYOK) allows enterprises to encrypt their data and retain control and management of their encryption keys. However, some BYOK plans upload the encryption keys to the CSP infrastructure. In these cases, the enterprise has once again forfeited control of its keys.A best-practice solution to this "Bring Your Own Key" problem is for the enterprise to generate strong keys in a tamper-resistant hardware security module (HSM) and control the secure export of its keys to the cloud, thereby strengthening its key management practices.
To control access to sensitive data, organizations require user credentials. Deploying a sound credential management system—or several credential management systems—is critical to secure all systems and information. Authorities must be able to create and revoke credentials as customers and employees come and go or simply change roles, and as business processes and policies evolve. Furthermore, the rise of privacy regulations and other security mandates increases the need for organizations to demonstrate the ability to validate the identity of online consumers and internal privileged users.
尽管可以在纯粹基于软件的系统中部署凭据管理平台，但这种方法本质上不太安全。 在认证 HSM 的加密边界之外处理的令牌签名和加密密钥明显更容易受到攻击，这些攻击可能会危及令牌签名和分发过程。 HSM 是唯一可靠且可审计的方式，可确保宝贵加密材料的安全并提供 FIPS 批准的硬件保护。
Asymmetric cryptography uses a pair of linked keys to secure data. One key, the private key, is kept secret by its owner, and is used for signing and/or decryption. The other, the public key, is published and can be used by anyone to verify messages signed by the private key or to encrypt documents to the owner of the private key.
In cryptography, a symmetric key is one that is used for encryption, decryption, and message authentication. This practice, which is also referred to as ‘secret key cryptography’, means that to decrypt information, one must have the same key that was used to encrypt it. The keys, in practice, represent a shared secret between parties that can be used to maintain a private information link. The keys can be used by two or more parties. They can also be used by just one party (e.g. for the purpose of encrypting backups).
One benefit of symmetric cryptography is that it is notably faster than asymmetric cryptography. A well-known example of a symmetric cryptographic use case is tokenization.
在密钥传输过程中（一方选择秘密密钥材料），加密的秘密密钥材料将从发送者传输到接收者。 密钥传输方案采用公钥技术或者公钥和对称密钥技术的组合（混合）。 发送秘密密钥材料的一方称为发送者，另一方称为接收者。
During key agreement, the derived secret keying material is the result of contributions made by both parties. Key agreement schemes may use either symmetric key or asymmetric key (public key) techniques. The party that begins a key agreement scheme is called the initiator, and the other party is called the responder.