Why protecting encryption keys is critical to keeping cloud data private
The changing regulatory and compliance environment around data privacy necessitate improved methods of protecting sensitive information sent to the cloud.
Encryption is one strategy cloud service providers use to protect enterprise cloud data from cybercriminals and any unauthorized access.
Cloud Data Encryption mathematically transforms data so that it is undecipherable without the “key” that can be used to change the data back to its original form.
For a variety of reasons, enterprises often rely on their cloud service providers to maintain ownership and management of the keys, believing that cloud data encryption can only be accomplished in this way.
Quite frankly, it has become an issue of resource management for some enterprises, as summarized in this quote from a 2013 Gartner report: “Organizations have a limit to the amount of time that staff can dedicate to becoming experts in a given solution. Increasing the number of different vendor cryptographic solutions deployed within a given environment increases the level of overall complexity of the overall system due to higher demands on staffing, increased training and the greater risk of misunderstanding a particular deployment configuration dependency."
Importance of who holds encryption keys
But more and more enterprises are now realizing that when they cede control of their encryption keys to their cloud providers, their sensitive data may not be as private as they had hoped. For instance, sometimes law enforcement can request and be given private corporate customer information from the cloud service provider without the enterprise being informed.
Giving up control of encryption keys may also make the enterprise more susceptible to cybercriminals or rogue employees. There are many ways the information may be unlocked and accessed without the enterprise knowing anything about it. In another report, Gartner makes this definitive recommendation to the enterprise, “Do not store keys or use keys in other jurisdictions, or use a third party; otherwise, the encrypted data could be accessed if the keys are available."
Use well vetted algorithms with strong security proofs
In addition to maintaining physical ownership of the encryption keys, enterprises intent on deploying cloud data encryption need to engage their enterprise IT & Security teams to ensure that the strength of the encryption being used is well understood. They need to look for peer reviewed security proofs and understand implications on the end users of cloud applications if strong encryption techniques, such as FIPS 140-2 validated modules deployed in FIPS mode, are used.
In another report, Gartner recommends, “encryption algorithms that have not been internationally recognized through appropriate standards should be avoided if they do not comply with regulatory requirements.” Later, it says, “if the encryption vendor offers options for ‘function preserving encryption’ – for example, to preserve sort – regulations may require the use of standardized and approved algorithms or proof of independent certification for the potentially weakened encryption.”
The enterprise can maintain control
Considering the well-founded recommendation from Gartner and the security and compliance needs of the enterprise to control sensitive data, it becomes clear that having vast amounts of sensitive data dispersed to multiple cloud application providers and relying on those providers to keep the encryption keys safe creates a security paradox for the enterprise.
Implementing cloud data encryption and maintaining control over the encryption keys is an important way for the enterprise to verify how information can be shared and unlocked – giving keys away creates an illusion that the enterprise has any control at all.
Commenting on WikiLeaks, a Forrester analyst stated: “Had Stratfor encrypted its email stores, this breach would not have been a breach at all, as encrypted data (in the absence of keying material) is not data – it is merely gobbledygook.”
For more information on how the enterprise can encrypt their data onsite and maintain control of their encryption keys while being able to freely and securely send data to any cloud application provider, click on this link: cloud data encryption.
Need to find out more about data residency and sovereignty and the use of cloud data tokenization? Visit this page.
Gerry Grealish is Chief Marketing Officer of PerspecSys, a cloud data control software provider.
- » How does privileged access security work on AWS and other public clouds?
- » VMware stokes VMworld fires with Pivotal and Carbon Black acquisitions
- » Alibaba, Google Cloud and Microsoft among inaugural members of cloud security consortium
- » Why embracing the cloud means preparing for problems you can't control
- » Five key tips to prioritise the security of DevOps tools and processes