Encryption key management systems are now essential for
all companies needing to lockdown data in the cloud, says Matt Landrock,
Executive Vice President, Cryptomathic.
‘Trust’ can be both a terrific enabler and a severe
inhibitor in cloud services adoption. Keen to benefit from the cloud’s promise
of flexible and scalable on-demand computing, businesses everywhere continue to
migrate increasing volumes of critical data off-site and into the hands of
third party cloud service providers. Each time this happens, however, they must
answer the same question: what guarantees do I need before I can trust this
provider to protect my data?
Who holds the power to access a firm’s private data in the
cloud is a big and thorny issue. Hosting services operate, by definition,
across borders whereas the regulations that grant nation states and other third
parties power-of-access, do not. Governing authorities around the world
therefore vary in their ability to compel cloud service providers to sacrifice
customer privacy and comply with their access demands.
As a result, encryption now has a major role to play in the security
process. Companies that trade in confidentiality, banks for example, commonly
use encryption as a defense against third party intervention from nation states
and cybercriminals alike. When rolled into their cloud provider’s managed
service contract, however, encryption actually does relatively little to
reassure: if the provider can already be strong-armed into granting access,
surely they can also be compelled to relinquish their encryption keys, making
life pretty awkward for everyone involved. Nonetheless, a study from Ponemon
Institute & Thales[1], revealed
that 37% companies worldwide still rely on their cloud providers to generate
and manage both the keys and the encryption process.
‘Bring Your Own Key’ (BYOK), where the end-user
independently generates, backs up and submits its own encryption keys, neatly
addresses this concern. If the service provider doesn’t have access to the key
in the first place, it can’t be compelled to hand it over, meaning that the
user’s data will remain encrypted no matter who tries to access it. Sadly, BYOK
creates another set of problems. Assuming sole control over an encryption key,
however, is a hefty responsibility. Loss or error could prevent a business from
decrypting its own data, resulting in paralysis. Theft of the encryption key
puts the entire security operation in jeopardy, meaning that the user’s back up
process must itself be subject to high-security measures. What’s more, if the
key is lost or stolen, help is very hard to come by. The service provider,
having already been relieved of their key liability, is powerless to assist. In
many ways BYOK replicates the problems associated with more traditional
usernames and passwords. Key ubiquity, like password ubiquity, replaces one
security headache with another: should there be a key to all the keys?
How is that key secured? And so on.
BYOK poses operational challenges, too. Once the user’s key
has been created and submitted to the service provider it can’t be retrieved,
or at least not easily. Security best practice also dictates that each
individual cloud service should have its own unique key. Where vast stores of
data are concerned, risk mitigation policies encourage firms use a variety of
keys and to spread their data between several providers, each of which will
have its own unique blend of encryption engines, protocols and messaging
formats. This situation is worsening too: Forrester predicts that the practice
of blending multiple cloud models will increase in 2017 and calls on companies
to take specific steps to secure their whole environment.[2]
When combined, these factors add up to a complex and
multi-faceted BYOK challenge, of which nothing less than bullet-proof
management is acceptable.
Fortunately, demand for what could now be called ‘Manage
Your Own Keys’ (MYOK™) can be well supported by specialist software,
purpose-designed to put users back in the driving seat. These platforms
enabling users to control and manage the entire lifecycle of their own, unique
portfolio of keys; generating, storing, deploying, retrieving, backing-up,
restoring, revoking and updating as they go.
Such systems also arm users with the capability to expand
their use of encryption. Today’s large enterprises invariably use a host of
different cloud models – public, private and hybrid amalgamations of the two.
MYOK™ systems enable users to address them all with cryptography, creating and
managing keys regardless of their required shape, form and destination. This is
democratizing what has, until now, been regarded as a complex and highly
technical security process.
This is just the beginning. The number and variety of uses
for encryption keys is exploding. Having begun life in network management and
financial services, encryption and other cryptographic functions are fanning
out rapidly, to secure data created by smart devices, connected cars,
intelligent building systems and all manner of other connected consumables that
together comprise the Internet of Things.
There is little doubting the level of enthusiasm for
cloud-based data storage and transmission services. The big problem has been
that major stakeholders have had a hard time balancing their need to guarantee
security, control and confidentiality with the huge gains that the cloud can
deliver in terms of flexibility, scalability and operational agility. Key
management platforms enable this balance to be struck, reducing time to market
for those delivering cloud-dependent products and services while, at the same
time, ensuring they remain the sole proprietors of their data, regardless of
where it is kept or how it is transmitted.
If the encryption industry is to avoid replicating the
mistakes of the username and password model, it must promote an approach that
has secure key management at the center. Only then can the full promise of the
cloud be realized, finally unburdened by issues of trust.
No comments:
Post a Comment