MyPage is a personalized page based on your interests.The page is customized to help you to find content that matters you the most.


I'm not curious

Cloud Security Requires Cloud-Based Key Management

Published on 18 December 14
244
0
0
Cloud Security Requires Cloud-Based Key Management - Image 1

When you leave for work in the morning, whatâs the last thing you do?

If you are like most people, you lock the front door and take your keys with you. Unless you are having a very bad day, you probably do not leave the key in the front door, making it easy for anyone to gain access to your home. After all, the point of locking the door is to keep unwanted intruders out of your home and to protect your valuable belongings.

In the cloud-security world, the act of encrypting data, while itâs in storage, in an application, or in transit, is a lot like locking the door to your home. By turning your plain text data into a string of code that can only be opened with a specific key, youâre keeping that sensitive data safe from unauthorized users who can turn around it use it for nefarious purposes.

The problem though, is that many organizations do the equivalent of leaving the key in the front door by storing the encryption keys â in plain sight â on the same servers as the data. Usually, these keys are in either Microsoft Excel or config formats, meaning that hackers know exactly what to look for and can often steal your data before you even realize that they have gained access to it.

The shift to the cloud has only served to further complicate the issue of encryption and encryption keys. With so many companies relying on vendors to provide cloud security, there are often questions about what is being done to ensure data protection and who is responsible for encryption keys. While there are still questions, and cloud security is constantly evolving, a few important considerations have emerged.

Don't Forget the Keys

Many companies who work with cloud service providers to store their data rely on the vendor to encrypt the data. Thatâs fine, except it begs the question of who controls the encryption keys. In some cases, the keys are stored on the same servers, which presents a host of security risks. Another option is to turn the key management over to a vendor, with access via the cloud. On the one hand, this does create a layer of security â when a hacker canât find the keys, they canât use them â but itâs also not very convenient, or even compliant with federal laws regarding the protection of certain types of data.

In fact, the idea of a cloud services vendor managing encryption keys is very unpopular for several reasons:

  • Allowing a third party to have access to certain types of data (HIPPA, PCI-DSS, etc.) is a violation of federal law, even if that data is encrypted.
  • Recent data breaches involving large cloud-service providers have companies worried about the security of their data and the encryption keys.
  • Vendors storing encryption keys and data outside of the U.S. raises concerns about data protection and privacy, most notably whether the data is fully protected when outside of the country.
  • When a vendor encrypts data and holds the key, they may be able to supply that data to the government to comply with a subpoena, even without the companyâs knowledge.
  • Disputes, cyberattacks, and outages or downtime could prevent the company from accessing its own data.
Securing Your Keys in the Cloud
Cloud Security Requires Cloud-Based Key Management - Image 2

Clearly, allowing your cloud service provider to manage your keys is not a viable solution, so what is? With so many questions about the best way to manage encryption keys, one clear solution is beginning to emerge: A cloud-based, hardened third-party key management provider that gives you complete control over the storage of your keys, as well as the ability to rotate and manage multiple keys for different devices and platforms.

A cloud-based system is vital because it allows for access across platforms and scalability as the businessâ needs change. It also provides auditing and access protections to prevent unauthorized access to encrypted data.

Encryption has become a vital part of any comprehensive IT security strategy. By effectively managing the keys in such a way that not only are hackers and data thieves kept out, but that legitimate users can access data securely from wherever they happen to be, you have a better chance of staying in compliance and avoiding a data breach.





Cloud Security Requires Cloud-Based Key Management - Image 1

When you leave for work in the morning, whatâs the last thing you do?

If you are like most people, you lock the front door and take your keys with you. Unless you are having a very bad day, you probably do not leave the key in the front door, making it easy for anyone to gain access to your home. After all, the point of locking the door is to keep unwanted intruders out of your home and to protect your valuable belongings.

In the cloud-security world, the act of encrypting data, while itâs in storage, in an application, or in transit, is a lot like locking the door to your home. By turning your plain text data into a string of code that can only be opened with a specific key, youâre keeping that sensitive data safe from unauthorized users who can turn around it use it for nefarious purposes.

The problem though, is that many organizations do the equivalent of leaving the key in the front door by storing the encryption keys â in plain sight â on the same servers as the data. Usually, these keys are in either Microsoft Excel or config formats, meaning that hackers know exactly what to look for and can often steal your data before you even realize that they have gained access to it.

The shift to the cloud has only served to further complicate the issue of encryption and encryption keys. With so many companies relying on vendors to provide cloud security, there are often questions about what is being done to ensure data protection and who is responsible for encryption keys. While there are still questions, and cloud security is constantly evolving, a few important considerations have emerged.

Don't Forget the Keys

Many companies who work with cloud service providers to store their data rely on the vendor to encrypt the data. Thatâs fine, except it begs the question of who controls the encryption keys. In some cases, the keys are stored on the same servers, which presents a host of security risks. Another option is to turn the key management over to a vendor, with access via the cloud. On the one hand, this does create a layer of security â when a hacker canât find the keys, they canât use them â but itâs also not very convenient, or even compliant with federal laws regarding the protection of certain types of data.

In fact, the idea of a cloud services vendor managing encryption keys is very unpopular for several reasons:

  • Allowing a third party to have access to certain types of data (HIPPA, PCI-DSS, etc.) is a violation of federal law, even if that data is encrypted.
  • Recent data breaches involving large cloud-service providers have companies worried about the security of their data and the encryption keys.
  • Vendors storing encryption keys and data outside of the U.S. raises concerns about data protection and privacy, most notably whether the data is fully protected when outside of the country.
  • When a vendor encrypts data and holds the key, they may be able to supply that data to the government to comply with a subpoena, even without the companyâs knowledge.
  • Disputes, cyberattacks, and outages or downtime could prevent the company from accessing its own data.


Securing Your Keys in the Cloud

Cloud Security Requires Cloud-Based Key Management - Image 2

Clearly, allowing your cloud service provider to manage your keys is not a viable solution, so what is? With so many questions about the best way to manage encryption keys, one clear solution is beginning to emerge: A cloud-based, hardened third-party key management provider that gives you complete control over the storage of your keys, as well as the ability to rotate and manage multiple keys for different devices and platforms.

A cloud-based system is vital because it allows for access across platforms and scalability as the businessâ needs change. It also provides auditing and access protections to prevent unauthorized access to encrypted data.

Encryption has become a vital part of any comprehensive IT security strategy. By effectively managing the keys in such a way that not only are hackers and data thieves kept out, but that legitimate users can access data securely from wherever they happen to be, you have a better chance of staying in compliance and avoiding a data breach.

Related Posts:
Post a Comment

Please notify me the replies via email.

Important:
  • We hope the conversations that take place on MyTechLogy.com will be constructive and thought-provoking.
  • To ensure the quality of the discussion, our moderators may review/edit the comments for clarity and relevance.
  • Comments that are promotional, mean-spirited, or off-topic may be deleted per the moderators' judgment.
You may also be interested in
Awards & Accolades for MyTechLogy
Winner of
REDHERRING
Top 100 Asia
Finalist at SiTF Awards 2014 under the category Best Social & Community Product
Finalist at HR Vendor of the Year 2015 Awards under the category Best Learning Management System
Finalist at HR Vendor of the Year 2015 Awards under the category Best Talent Management Software
Hidden Image Url

Back to Top