Cloud Security Requires Cloud-Based Key Management

When you leave for work in the morning, what’s the last thing you do?

If you are like most people, you lock the front door and take your keys with you. Unless you are having a very bad day, you probably do not leave the key in the front door, making it easy for anyone to gain access to your home. After all, the point of locking the door is to keep unwanted intruders out of your home and to protect your valuable belongings.

In the cloud-security world, the act of encrypting data, while it’s in storage, in an application, or in transit, is a lot like locking the door to your home. By turning your plain text data into a string of code that can only be opened with a specific key, you’re keeping that sensitive data safe from unauthorized users who can turn around it use it for nefarious purposes.

The problem though, is that many organizations do the equivalent of leaving the key in the front door by storing the encryption keys - in plain sight - on the same servers as the data. Usually, these keys are in either Microsoft Excel or config formats, meaning that hackers know exactly what to look for and can often steal your data before you even realize that they have gained access to it.

The shift to the cloud has only served to further complicate the issue of encryption and encryption keys. With so many companies relying on vendors to provide cloud security, there are often questions about what is being done to ensure data protection and who is responsible for encryption keys. While there are still questions, and cloud security is constantly evolving, a few important considerations have emerged.

Many companies who work with cloud service providers to store their data rely on the vendor to encrypt the data. That’s fine, except it begs the question of who controls the encryption keys. In some cases, the keys are stored on the same servers, which presents a host of security risks. Another option is to turn the key management over to a vendor, with access via the cloud. On the one hand, this does create a layer of security - when a hacker can’t find the keys, they can’t use them - but it’s also not very convenient, or even compliant with federal laws regarding the protection of certain types of data.

In fact, the idea of a cloud services vendor managing encryption keys is very unpopular for several reasons:

• Allowing a third party to have access to certain types of data (HIPPA, PCI-DSS, etc.) is a violation of federal law, even if that data is encrypted.
• Recent data breaches involving large cloud-service providers have companies worried about the security of their data and the encryption keys.
• Vendors storing encryption keys and data outside of the U.S. raises concerns about data protection and privacy, most notably whether the data is fully protected when outside of the country.
• When a vendor encrypts data and holds the key, they may be able to supply that data to the government to comply with a subpoena, even without the company’s knowledge.
• Disputes, cyberattacks, and outages or downtime could prevent the company from accessing its own data.

Clearly, allowing your cloud service provider to manage your keys is not a viable solution, so what is? With so many questions about the best way to manage encryption keys, one clear solution is beginning to emerge: A cloud-based, hardened third-party key management provider that gives you complete control over the storage of your keys, as well as the ability to rotate and manage multiple keys for different devices and platforms.

A cloud-based system is vital because it allows for access across platforms and scalability as the business’ needs change. It also provides auditing and access protections to prevent unauthorized access to encrypted data.

Encryption has become a vital part of any comprehensive IT security strategy. By effectively managing the keys in such a way that not only are hackers and data thieves kept out, but that legitimate users can access data securely from wherever they happen to be, you have a better chance of staying in compliance and avoiding a data breach.