When running workloads with sensitive and regulated data in the cloud, organisations are seeking greater options to enable them to protect and control that data themselves. Faiyaz Shahpurwala, Chief Product Officer at Fortanix, tells us how, by taking control of their encryption keys, organisations will be able complete their Digital Transformation journeys and start applying the benefits of the cloud for their most sensitive and essential assets.
Cloud technology has redefined the business world in recent years, with IDC finding that 90% of organisations now have at least some of their applications or infrastructure hosted in the cloud and the remainder expected to catch up by 2021.
The increased flexibility, agility and cost-savings offered by moving to the cloud mean there are few reasons for organisations to hold back. One of the last barriers for public cloud adoption is concern around security and data protection. While most firms now have at least some of their operations based in the cloud, many are still reluctant when it comes to their most sensitive data and mission critical assets.
Why are public clouds a security concern?
Working with a third-party cloud provider necessitates a certain loss of control and a large degree of trust. If a cloud host is not properly configured and secured, it will leave the data of its customers vulnerable to being breached by threat actors. Data security regulations such as GPDR also make it clear that an organisation is still responsible for any data breach involving a third party, so firms must ensure they carry out due diligence on their chosen cloud providers.
One of the most important elements of good cloud security is the proper use of encryption. When it comes to data security compliance, GDPR, as well as others such as the upcoming California Consumer Protection Act (CCPA) maintain that firms will not be subject to penalties if they suffer a data breach, but only if the information has been encrypted.
However, encryption is only an effective defence if the cryptographic keys that govern access are well defended. Encryption keys are usually held in the cloud as well and if threat actors are able to get their hands on them, they will have free reign to access all of the information on the cloud server.
From a compliance perspective, PCI DSS, the global credit card security standard, states that encryption keys cannot be held in the cloud, which means any firm that deals with payment details cannot store this data on a public cloud and remain compliant.
Aside from the threat posed by an external intruder, cryptographic keys held on a cloud server are also potentially vulnerable to malicious insiders or other third parties. Because the organisation has no control over the keys, it will also be unable to prevent the provider from giving them up in circumstances such as legal action.
Taking back control of cloud security
The security, privacy and compliance concerns around storing sensitive data in the cloud can all be overcome by organisations taking control of their encryption keys and keeping them outside of the cloud. By using a bring your own keys (BYOK) approach, organisations will be able to store their keys in their own preferred data centre.
Taking this tactic will greatly reduce the risk of encryption keys being accessed by cyberattackers or malicious insiders, as well as restoring control when it comes to access issues from other third parties or legal requests. Even if the cloud provider suffers a catastrophic data breach, the data will remain safely encrypted if the keys are secured in a separate data centre.
The additional security assurance created by taking direct ownership of their cloud encryption keys means that organisations can gain the confidence to start using their cloud infrastructure to host sensitive data and mission critical assets. For the first time, firms will also be able to begin storing credit card data in the cloud without falling foul of the PCI DSS.
Managing encryption keys effectively
Taking control of its cloud encryption keys is only a beneficial strategy if the enterprise itself can secure them properly. Firms should take their time when selecting a colocation data centre to hold their keys and ensure their chosen provider has advance security measures in place.
In addition, organisations need to implement an effective encryption key management system for securely generating, storing and using cryptographic keys and certificates. This is particularly important when it comes to managing multi-cloud environments, which has increasingly become the cloud strategy of choice. Recent research from Gartner found that 81% of public cloud users are working with two or more providers.
Businesses will be dealing with different sites at multiple geographies, as well as potentially different cryptographic processes including encryption, tokenisation and shared secrets. Alongside this, many firms rely on a hybrid approach that combines on-premise and cloud-based infrastructure.
An effective management tool will make it easier to cut through the complexity created by these environments to establish a consistent approach that ensures there is no oversight or connectivity issues around the use of encryption keys.
Ideally, organisations should be seeking a key management system that uses a cloud native approach and is designed to be developer friendly. In particular, it is important to have an accessible API for cloud and dev-ops teams to work with.
While the cloud has become a ubiquitous part of the business world and particularly Digital Transformation, you could argue that we’re still very much at the beginning of the journey. Just five years ago, most firms were still only doing minor, low risk testing and development on the public cloud. Only now are we at last getting to the point where more critical assets and infrastructure are being migrated over.
By taking control of their encryption keys into their own hands, organisations will be able complete their Digital Transformation journeys and start applying the benefits of the cloud for their most sensitive and essential assets as well.