David Erel
June 20, 2023
AWS KMS and Piiano Vault both provide encryption features. As most people have access to a KMS through their cloud provider, we're often asked why they should consider using Piiano Vault to encrypt their PII data.
In this post, we examine the encryption features of KMS and Piiano Vault. We show how Vault’s privacy-aware approach provides superior control and simplifies compliance with various privacy regulations and laws.
A Key Management Service (KMS) is a key encryption service used primarily to create, store, and control encryption keys. Cloud providers may then offer additional features. For example, as part of their KMS, AWS provides add-ons for:
Piiano Vault is a data protection service that stores or encrypts large amounts of sensitive personal data (PII, PHI, PCI, KYC, secrets, etc.), enabling compliance with standards and regulations such as PCI, CCPA, and GDPR. Vault uses AWS KMS for holding its root encryption key (KEK). Vault also offers stateless encryption APIs.
As described, a KMS and Piiano Vault offer a simple standalone REST API for a fully remote service to encrypt and decrypt your data. While a KMS is oblivious to the content of the data it encrypts, Piiano Vault focuses on semantic data types and privacy controls to assist with compliance and management of the sensitive data.
đź’ˇ This article discusses AWS KMS, but the same concepts hold true for GCP KMS and Azure Key Vault. We only reference the AWS implementation for brevity.
The AWS KMS encryption APIs provide functions to encrypt blobs and return them to applications, and decrypt ciphertext encrypted by the KMS. The encryption is done under a KMS key of your choosing.Â
The KMS considers all data as blobs and cannot provide any added-value services on top of that data.
đź’ˇThe AWS KMS does not store encrypted data. Storing and managing the encrypted data is up to you.
Piiano Vault’s encryption APIs provide features to encrypt and decrypt data as well as easily update fields in encrypted objects. You can also obtain a hash of the source data without creating an encrypted object. In addition to these features available in the stateless version of Vault, the stateful version can also store data as you encrypt it.
Unlike a KMS, you define to Vault the schemas for the collections of sensitive data you want to encrypt. Vault is then aware of the semantic meaning of each field in the items encrypted or decrypted. On top of this, you can define identity and access management policies to control who and what can encrypt and decrypt data.
Access to the Vault is managed through its own API keys.
In addition to simply encrypting a blob, Piiano Vault provides for:
Piiano provides SDKs for Python, Java, and TypeScript and a command line tool. When using an ORM integration, Vault transparently encrypts and decrypts data for the objects you read and write from your database. That approach may be advantageous if you use an ORM and want to move from cleartext data to encrypted data with minimal changes to your code.
For this comparison, we consider a system with the following characteristics:
đź’ˇAWS pricing information was taken from https://aws.amazon.com/kms/pricing/
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
AWS KMS provides a proven key management and encryption service. However, as a tool to encrypt sensitive personal data, it is limited by the size of items it can encrypt and the cost. Also, integration may require some AWS expertise from DevOps or DevSecOps teams.
Piiano Vault’s encryption APIs provide a developer-ready solution for application data encryption (using a KMS internally to store keys for root trust and adequate security). The solution is geared towards backend developers and doesn’t require the user to be AWS proficient. It can also be much cheaper for certain use cases. Piiano Vault runs on the most popular cloud providers and can be deployed in various ways to meet your needs. It also provides a totally local developer environment.
Lastly, it’s worth mentioning that Vault has a broader scope than a KMS with respect to encryption. In its stateful implementation, it stores sensitive data and generates tokens, controls the lifecycle of objects and tokens, and has more features. And, all these features are available within the same API.
VP R&D
David is a seasoned senior manager with a rich 20-year history in professional development, having worked at a broad range of companies including Intel, Check Point, EMC, and SentinelOne. He has a unique passion for the mix of managing software development teams and building cloud infrastructure.
Increased complexity as the number of keys and systems grow.
Adopt a centralized key management solution such as a Hardware Security Module (HSM) or cloud-based KMS to securely manage and control cryptographic keys at scale.
Ensuring secure and timely key distribution and synchronization at scale.
Automate key rotation processes to maintain synchronization, reduce human intervention, and minimize errors as the system grows.