Giving Companies the Keys to Controlling Their Data

faiyaz shahpurwala fortanix
Faiyaz Shahpurwala
Published:Mar 24, 2020
Reading Time:4 Minutes

The cloud has become a major focus for organizations seeking to improve processes and increase efficiencies. indeed, most are using more than one cloud provider across their networks to enhance these benefits.

According to recent research from Gartner, 81 percent of public cloud users have two or more providers.

According to recent research from Gartner, 81 percent of public cloud users have two or more providers. However, by placing significant amounts of sensitive data in the cloud, fragmented across several different providers, means that businesses do not have control over the security of said data.

Such an approach has resulted in businesses having to trust that all of their cloud providers have a suitable level of security to protect this information. Combined with pressure from regulators about protecting data held with third parties, businesses need to be sure that their data is safe across all their cloud networks. 

To achieve this, organizations need to bring the oversight and control of security back into the business. This means implementing a centralized cloud strategy where organizations encrypt sensitive data across all cloud providers themselves and manage it in one place. 

Compliance in the cloud

Jurisdictions around the world now demand that businesses protect the personal data of customers, whether on their own systems or those of a third party.

For example, the EU GDPR and the California Consumer Protection Act both penalize enterprises that fail to properly secure information they hold about citizens from those regions – even if the breach originated with a third party.

However, in the event of a data breach a business is unlikely to be prosecuted if the information has been encrypted.

That said, encryption is not a fool-proof defense if the cryptographic keys for the encrypted material are also exposed, providing the criminals with the ability to freely access and abuse the data.

It almost goes without saying that there is a significant chance of this happening if the keys are kept in the same or a linked cloud facility as the targeted data. Keys that are kept in the cloud are at greater risk from both external cybercriminals and insider threats.

Businesses need to be certain that their cryptographic keys are secured to the highest standards, which is not always possible on the public cloud.

Indeed, this scenario is such a concern for regulators that the international credit card security standard, PCI DSS, prohibits the encryption keys for payment details to be kept in the cloud.

Locking down security

Many organisations will be familiar with the concept of Bring You Own Keys (BYOK), where cloud service providers have allowed their customers to generate and manage their own encryption keys, however this control would then be forfeited as the organizations would be required to export their keys into the cloud providers key management system (KMS).

This also becomes complex, risky and costly to oversee as organizations may be managing keys in multiple hybrid, public cloud and on-premise environments.

This is where we are seeing a sea-change in approach by organisations, particularly those in highly regulated industries or with a high level of confidential information and sensitive intellectual property (IP), for a way for organisations to manage their own encryption keys via their own KMS.

This is where a Bring Your Own Key Management system (BYOKMS), where encryption keys can be stored in their own data centers and the customers always retain exclusive control of who can see their data, is making a difference.

With their own key management system, enterprises are no longer beholden to cloud providers and the potential risk of unauthorized access/decryption being given without their knowledge or consent.

Additional benefits of owning and managing your own keys is that further security measures can be set to protect data, including parameters about when and where the data is used. Nobody will be able to access the data if they try to do so outside of an expected time period or location.

However, taking such an approach requires the implementation of an effective management system that ensures cryptographic keys and certificates are securely generated, used and stored.

Having a central place where all of this can be managed is essential for those organizations running on more than one cloud environment. Whether using public, private or hybrid cloud infrastructure, enterprise-wide control and oversight should be available on one central dashboard.

Without such a system, keeping on top of the encryption used across different deployments in multiple geographies becomes exceedingly complex.

Having a centralized cloud strategy also enables businesses to better demonstrate to regulators that they are meeting data security compliance requirements.

For instance, those companies that deal with credit card payments and implement a centralized cloud strategy would now be able to store these details in the cloud and be compliant with the PCI DSS.

As more businesses look to move mission-critical digital assets to the cloud, they need to be certain that the data they are putting there is safe. Failing to do so could severely impact the organization in terms of reputation, revenue and regulatory compliance.

By bringing full control and oversight of its encryption processes back in house, organizations can ensure that critical and sensitive information is locked down and can only be accessed by authorized persons.

Share this post: