Until recently, trusting a third-party with sensitive data was unthinkable. Being the most prized asset, sensitive data used to reside in controlled on-premises enterprise data centers protected by both physical and logical security controls. However, the critical need to share data in our hyperconnected world ushered in rapid digital and cloud transformation, and IT teams had to work diligently to keep up. Looking back, we can now see the speed of that transformation pales in comparison to the speed of change witnessed during the sudden shift to a distributed workforce due to COVID-19.
Organizations are significantly accelerating the migration of workloads and data to the public cloud to enable employees to work from anywhere. Since remote working widens the scope for data breaches and other security vulnerabilities, best practices of the past are no longer adequate. Native encryption and key management services offer good-enough protection, but highly regulated industries such as finance, banking, insurance, and health care, need higher levels of assurance for risk management and compliance. The organizations now have the opportunity to get security right, and give themselves the best chances for a successful recovery.
According to a newly published white paper, Best Practices for Cloud Data Protection and Key Management, the companies can take three steps right now that will significantly reduce risks to sensitive data in the public cloud:
1. Separate the duties of the storage provider and the key holder: Cloud storage providers encrypt data during transmission as well as before storage. However, because they also hold the encryption key for stored data, they have direct access to all data that resides on their servers. For enterprises that own the data, this provides little comfort because trust has to be placed entirely in the hands of cloud storage providers.
It is essential to ensure that fundamental principles of separation of duties as well as least privileged access are followed for data protection. This involves enforcing separation of duties for entities processing and storing data , and those providing security services. In an ideal scenario, the data storage provider and the encryption and key management service provider should be separate entities.
2. Bring and hold your own keys: When Cloud Service Providers (CSPs) create, store, and manage data encryption keys, they have access to all the sensitive data on their servers. If there is a data breach, the keys that encrypt the data may be compromised too. For enhanced security, some CSPs allow customers to generate their own encryption keys, and then import these keys into the Key Management Service (KMS) managed by the CSP. In this Bring-Your-Own-Key (BYOK) approach, customers can enforce strong entropy and policy rules regarding key generation and rotation that may help meet regulatory compliance requirements.
The Hold-Your-Own-Key (HYOK) approach offers the first real separation of duties between the CSP and the customer. In this approach, the CSP still handles encryption and decryption of customer data but does not manage the keys. These keys are generated and managed by the customer either directly or through an independent third-party, such as a key broker.
3. Encrypt the data before sending it to the cloud: The Bring-Your-Own-Encryption (BYOE) approach offers the ultimate separation of duty and is the most secure way to protect data. Data and keys are never exposed to the CSP and data is encrypted before it’s sent to cloud storage.
CSPs differ in the degree of their support for separation of duties when it comes to encryption and key management. However, all of them strongly advocate that security is a shared responsibility and support separation of duties. Use the steps described above to ensure your sensitive data in the cloud is safe and secure.