Keeping Data Secure and Confidential in Public Clouds Encryption®

Anand Kashyap
Anand Kashyap
Updated:May 14, 2025
Reading Time:4 Minutes
Copy-article Cite this article
Keeping Data Secure & Confidential in Public Clouds

The public cloud is everywhere, powering your apps, storing your files, and crunching your numbers. As a result, cloud data security and enterprise cloud security have become top priorities for enterprises in the wake of new threats.

Why Public Cloud Needs a New Approach to Data Security

In 2025, the cloud is no longer optional — it’s the operational backbone of modern enterprises. According to Gartner, over 85% of organizations will adopt a cloud-first strategy by the end of 2025, with Cloud-delivered secure access service edge (SASE) services accounting for more than 50% of enterprise IT spending globally [source]. Meanwhile, the average cost of a data breach has surged to $4.88 million, marking a 10% increase over last year [source].

The Rise of Confidential Computing in the Cloud

When protecting data in public cloud environments, a new approach has emerged around hardware-based confidential computing solutions available for the public cloud, which is the backbone of an enterprise data security framework.

This approach is also being promoted by the Confidential Computing Consortium, which was recently formed by cloud service providers (CSPs), chip vendors, and security companies. all working to reduce cloud data security risks.

CSPs now offer hardware platforms enabling confidential computing solutions to be deployed in the cloud to secure data at rest, in transit, and now also in use, addressing key gaps in traditional cloud security strategies.

The Limits of Traditional Encryption Methods

Previously, organizations were able to protect data by encrypting it only at rest and in transit. At runtime, however, data was exposed when being used by the CPU, creating vulnerabilities in enterprise cloud security defenses.

If not for today’s increasing adoption of secure enclave technologies, such as Intel® Software Guard Extensions (Intel® SGX), confidential computing would still be a theory rather than a practical path to stronger cloud data security.

Other approaches, such as fully homomorphic encryption, in practice are too cumbersome and slow to work and are not practical for many of today’s complex application use cases and cloud environments.

Secure Enclaves: Protecting Data in Use with TEEs

Confidential computing using secure enclaves protects data running in the CPU by creating a Trusted Execution Environment (TEE) to secure sensitive applications and data.

TEEs enable general purpose computation on encrypted data without exposing data or plain-text application code and provide complete cryptographic protection for applications with the performance needed by enterprises.

This protects sensitive applications and directly mitigates cloud security risks associated with both internal and external threats.

The Key Management Gap in Confidential Computing

However, the need for the CSP to host the cryptographic keys used to encrypt and decrypt sensitive data presented a cloud security risk. Even though the TEE protects data and application code from root-user and unauthorized system access, the data remained at risk unless organizations maintain exclusive control over their encryption keys.

With a “Bring Your Own Key” (BYOK) approach, the CSP holds an organization’s keys to encrypt and decrypt data. Not surprisingly, few security managers should be comfortable with this, and it has presented a security issue that needs to be addressed if the benefits of end-to-end encryption are to be fully realized.

Bring Your Own Key

Today’s innovations in cloud-native APIs allow users to integrate their own key management systems to retain control of their encryption keys.

With a “Bring Your Own Key Management Service” (BYOKMS) approach for confidential computing, organizations store their encryption keys in their data centers or within a contracted facility by using a hardware security module (HSM).

With keys retrieved from the HSM when they are required by an application, the API connects the HSM to the cloud service.

This allows the encryption keys to work seamlessly with confidential computing in the cloud, with a single point of control for auditability and management.

How BYOKMS Improves Data Security in the Cloud

As a unified system, BYOKMS can handle data encryption, tokenization, and shared secrets, while protecting data and applications on-premises, in hybrid clouds, and in public cloud environments.

With BYOKMS, organizations keep exclusive control over who can see and access their data, which should be non-negotiable for cloud data security

Controlling their own keys allows organizations to safely move applications to the public cloud, even if they must comply with regulations, such as the Payment Card Industry Data Security Standard (PCI DSS). This level of enterprise data security can extend across cloud workloads without performance trade-offs.

Meeting Compliance and Data Sovereignty Requirements

Key management with regional isolation also helps with compliance with the EU’s General Data Protection Regulation (GDPR) and comparable data sovereignty laws.

Overall, BYOKMS significantly reduces the chances of key secrecy being violated in a shared infrastructure, including by government officials or the CSP itself.

If an organization’s Governance, Risk and Compliance (GRC) policies require pervasive data encryption, organizations can now adhere to them while migrating data and applications into multi-cloud, public cloud and hybrid environments.

Making Cloud Workloads Secure and Portable

Overall, BYOKMS leads to predictable consumption. Organizations are now able to migrate cloud workloads across multiple environments to manage load levels without concern for cloud data risks.

They can also integrate applications in a more flexible manner because it no longer matters where the data resides.

By storing keys in data centers that are close to critical apps, end-to-end cryptographic security with confidential computing will not slow down data processing and compromise cloud data security.

Shifting the Mindset for Cloud Security

Implementing the right technology is only part of the story around moving sensitive data to various cloud infrastructures. Trusting the cloud involves a change in mindset toward cloud security.

Organizations need to be ready to embrace data security in the cloud, and developers must understand the new API landscape for securing data in the cloud.

Moving forward, security staff members must think differently about the enterprise cloud data security strategy, with key management lifecycle as the cornerstone. This is because confidential computing is real.

Multicloud
Share this post:

Platform

Fortanix Armor

Armet AI

NEW

Key Insight

Data Security Manager

Confidential Computing Manager

Open Source Platform

Enclave Development Platform®

Solutions

Use Cases

Legacy to Cloud Infrastructure Migration

Regulatory Compliance

Post-Quantum Readiness

Secure, Data-Driven Innovation

Company

About Us

Partners

Careers

Confidential Computing

University

Blog

FAQ

Contact Us

Awards

Events

Press

News

Services

Media Kit

Newsletters

Customers

Resources

Support

Fortanix-logo

4.6

star-ratingsgartner-logo

As of August 2025

SOC-2 Type-2ISO 27001FIPSGartner LogoPCI DSS Compliant

US

Europe

India

Singapore

3910 Freedom Circle, Suite 104,
Santa Clara CA 95054

+1 408-214 - 4760|info@fortanix.com

High Tech Campus 5,
5656 AE Eindhoven, The Netherlands

+31850608282

UrbanVault 460,First Floor,C S TOWERS,17th Cross Rd, 4th Sector,HSR Layout, Bengaluru,Karnataka 560102

+91 080-41749241

T30 Cecil St. #19-08 Prudential Tower,Singapore 049712