Data breaches occupy a position of prominence and notoriety among all cyberattacks.
Wonder why?
Data is a goldmine for any organization, the fuel of its operations. Stolen data, including personal information, financial records, and proprietary business data, can be used for ransomware or traded on the black market. Secondly, there’s identity theft. Someone pretending to be you could be opening bank accounts, taking loans, and affecting your taxes to steal your hard-earned resources.
Do you know the key part of a breach story?
When we read the news regarding data breaches (Highlights from the H1 2021 OAIC Notifiable Data Breach Report), we focus on the cybercriminals and the financial losses. They make for sensational headlines, after all. An important aspect frequently overlooked in these stories is the ownership of encryption keys.
The news rarely reports - Who owned the encryption key during the breach?
This aspect of the breach is often a significant security control weakness for organizations that do not appropriately manage encryption keys over their lifecycle.
Knowing who has access to encryption keys is every organization’s prime responsibility.
Key “Mis” Management is a data security failure in a cloud infrastructure. It may go unaddressed and is often underestimated at the heart of many breaches.
Here’s How Things Go Wrong with Key Management
A) Poor visibility across multiple clouds
Organizations use multiple cloud service providers (CSPs) to leverage tailored features that align with their business needs. The widespread adoption of multi-cloud services made tracking of cryptographic keys and their usage extremely complex.
Cloud providers may prioritize the ease of delivering cloud services over the intricacies of key protection and management. To get full visibility and complete control of keys, organizations need a centralized system tracking inventory of keys across all cloud providers, audit logs, a user-friendly dashboard, and an alert system notifying compliance alerts and key usage violations.
Then, there is employee churn. So, when the security team at the cloud vendor changes, it can introduce uncertainty and disrupt communication temporarily, leaving organizations without the real-time information about who can access their data. In such scenarios, tracking the location and status of keys becomes a challenge, as it relies heavily on the cloud vendor's policies, which may not align with the organization’s security requirements.
B) Poor access control
Insufficient identity and access management policies, improperly configured permissions, and a lack of effective monitoring and auditing processes are all factors contributing to poor access control.
Organizations may opt for their cloud service providers' built-in encryption and key management services to save costs and ease of operations. However, this approach may inadvertently offer cloud service providers control over sensitive information.
CSPs may need access to data to perform routine maintenance tasks on their infrastructure, diagnose problems, and troubleshoot issues. They may need to manage and maintain multiple copies of data for redundancy, backup, and disaster recovery purposes. Data access can also be used to analyze user behavior with cloud services. In some incidents, CSPs may access data to comply with legal requirements, such as responding to lawful government requests or court orders.
Does it leave organizations vulnerable?
Not necessarily, if organizations deploy their own mechanisms to authenticate whenever the CSP wants access. Organizations must be able to track users, time, duration, and place where the data is accessed.
C) Storing data and keys in the same cloud
CSPs build their infrastructure focusing on delivering excellent cloud services and might not be in a position or have enough resources to invest adequately in data security. In some scenarios, they may store data and the keys in the same cloud to simplify management and reduce latency.
There are three reasons why storing data and keys in the same cloud is a bad idea.
Firstly, when data and encryption keys reside together, unauthorized access to one can potentially compromise both, putting sensitive information at risk. This approach also fails to comply with the principle of least privilege.
Secondly, compliance requirements often mandate strict separation between data management and encryption keys to meet the principle of separation of duties and minimize the risk of unauthorized access.
Finally, as the organization scales, it can be challenging to migrate data and keys if switching CSPs or using multiple providers. Separating them allows for more flexibility and interoperability.
Fortanix’s Commitment to Data Security
When CSPs solely control the encryption of customer data and the encryption keys, organizations should consider having their own key management system instead of depending on CSPs for key management.
Fortanix offers Key Management Service (KMS) with HSM-grade security, allowing organizations to securely generate, store, and use crypto keys, certificates, and secrets. It provides control and visibility into key management operations using a centralized web-based UI with enterprise-level access controls and single sign-on support.
Fortanix guarantees the highest data security and confidentiality throughout its lifecycle, made possible by Confidential Computing. With advanced solutions such as enterprise key management, tokenization, and HSM modernization, we proudly serve renowned global banks, federal institutions, and corporations. Our clients trust us for our service commitment and delivery.
Get in touch with our team and ask for a free trial.