Retaining Encryption Keys

faiyaz shahpurwala fortanix
Faiyaz Shahpurwala
Published:May 20, 2020
Reading Time:4 Minutes

One of the many issues that keeps CISOs up at night is the realization that no matter how robust and comprehensive their cybersecurity is, their IT systems are likely to be breached at some point.

This is exacerbated when an organization’s network spans across multiple environments. Indeed, research from Nominet suggests businesses using a multi-cloud approach were more than twice as likely to have suffered a data breach in the last year (52 percent), compared to single-cloud users (24 percent).

What might give these CISOs succor is the belief that as their data is encrypted, cyber-criminals will not be able to access and use it. However, this might not necessarily be the case if the cryptographic keys are kept in the same cloud as the data, as hackers could get hold of both, negating the encryption.

Further, this risk is heightened if there is not clear oversight of all IT environments whether public, private or hybrid cloud or on-premise.

Therefore, organizations need to both be able to secure their cryptographic keys away from the encrypted data and be able to manage and view them across all the environments of their IT infrastructure through a single pane of glass.

The multiple risks of multi-cloud

There are plenty of advantages that attract businesses to using a range of cloud services such as SaaS, PaaS and IaaS. Keeping capital expenditure down, not having to worry about maintenance and updates and providing the opportunity for remote working are just some of the reasons for cloud adoption.

Further, as different providers specialize in different services, organizations will often have more than one supplier to ensure they are getting the best solutions for each business function. In fact, research from Gartner shows that 81 percent of those companies using a public cloud will have at least two different services.

However, with a greater number of cloud service providers comes a greater attack surface to monitor. Some of the issues multi-cloud users will come up against include that keeping track of where data resides becomes increasingly difficult and security measures for each service will be different and not particularly compatible.

This is undoubtedly contributing to the fact that businesses with multiple cloud services suffer a larger number of breaches. The Nominet research highlights that 69 percent of multi-cloud users suffered between 11 and 30 breaches compared to only 19 percent of single-cloud users.

Businesses also need to be mindful that they are still held accountable by regulators for any data breach via a third party, even if they have made sure their cloud providers have exemplary security credentials.

Encryption is the key

Encryption has for a long time been seen as the answer for preventing threat actors being able to use data if they ever get their hands on it. Yet if the cryptographic keys necessary for decrypting the information are kept in the same location as the data, the chances are these too will be stolen, making encryption useless.

This is one of the reasons why the card payment regulator PCI DSS does not allow businesses to store encrypted card details in the same cloud as their corresponding cryptographic keys.

Some cloud providers have recognized that businesses are looking for greater control over encryption and allow them to bring their own keys (BYOK). The catch is that the cloud provider still insists that these keys are kept with them in their own key management system (KMS), doing nothing to dispel the concerns about keys being stolen at the same time as data.

Further, those running multiple clouds will have several KMS to keep an eye on, which is not conducive to having clear oversight of encryption across environments.

Bring Your Own Key Management System

Businesses wanting to be in full control of the encryption of their data regardless of which of their IT environments it happens to be on should deploy a Bring Your Own Keys Management System (BYOKMS). This enables businesses to generate, store and monitor all their cryptographic keys in one place of their choosing, greatly enhancing security.

As the keys are stored well away from the encrypted data there is little danger of them being both stolen at the same time by the same perpetrator, meaning the data will be unreadable to the thieves. This implies that those dealing with card transactions can keep payment information in the cloud without falling foul of the PCI DSS.

Being able to manage encryption via a single pane of glass provides security teams with complete oversight of the data on all their IT environments. This will enable them to implement greater controls regarding who can access the data as well as when and where.

By employing BYOKMS to centrally manage encryption across their multi-cloud environments, CISOs will be able to sleep better, safe in the knowledge that their data is protected.

Share this post: