Where Are the Keys? Managing Encryption In the Cloud

Data security has become synonymous with cloud security. Now that more than 90% of companies have adopted cloud services, and (according to some projections) more than half of all IT workloads are being handled in the cloud, protecting data requires a "cloud first" mentality. The need to exploit cloud capabilities while keeping data safe has security professionals, industry analysts, and even cloud providers trying to answer the same question:

How should data be encrypted in the cloud, and who should hold the keys?

Encryption in the cloud

Most cloud service providers offer some form of encryption for their customers' data. Protecting data in transit is fairly simple—information is almost always encrypted as it travels (between datacenters, or between servers and user devices) using TLS or other reliable methods.

Protection becomes more complicated for data at rest or in use on a cloud server. Cloud providers can encrypt data on their servers, but in order to facilitate indexing, online viewing, online collaboration, or other services, the cloud providers need to maintain control over the keys used to encrypt and decrypt the data.

cloud file

When cloud providers hold the encryption keys, data is at risk from an additional set of threats. Not only do companies need to worry about malicious insiders and outsiders who target their own systems, they also need to be concerned about attacks on their cloud providers. And since they can't directly control how their cloud providers protect their data (or the keys), many organizations are unwilling to accept cloud-based encryption for their most sensitive data.

The data sovereignty question

Cloud services have further complicated the complex issue of data sovereignty—the question of which country's laws apply to the data stored or processed by an organization. A cloud service provider based in one country, operating datacenters in other countries, and collecting data on residents of still other countries, may find itself subject to multiple overlapping (or contradictory) data protection regulations.

Along with the obvious compliance challenges, data sovereignty poses a big security risk: government seizure of sensitive data. Even if an organization feels confident that its own government won't try to steal its data, it has to worry about every other government that potentially has jurisdiction over its cloud providers. This is where access to encryption keys becomes all-important.

If a foreign government compels a cloud provider to hand over a company's sensitive data, and the cloud provider also has the keys used to encrypt the data, it can be forced to hand over those as well. That gives the foreign government complete access to the company's intellectual property, customer records, or any other data it was storing in the cloud. But if the cloud provider doesn't have the keys, all the foreign government will get is a jumble of encrypted data that it can't hope to access.

When to hold your own keys

Companies using cloud services generally have three options for encryption and key management:

  • Cloud-based encryption: The cloud provider generates, manages, and stores the keys used to encrypt and decrypt data.
  • Bring Your Own Key (BYOK): The customer generates and manages encryption keys, but the cloud provider has access to the keys and can use them to encrypt and decrypt data.
  • Hold Your Own Key (HYOK): The customer generates, manages, and stores encryption keys in its own environment. The cloud provider does not have access to the keys and is blind to the contents of encrypted files.

Some organizations' security policies will dictate that they take the HYOK approach to all sensitive data. For these companies, the cloud is simply a storage location. Sensitive data resides on cloud servers, but is only decrypted and used inside the company network, or by external partners under controlled circumstances.

Most organizations, however, need to take advantage of additional cloud capabilities (such as online collaboration, online search, and cloud DLP scanning) for at least some of their sensitive data. In these cases, HYOK encryption can be implemented side-by-side with cloud security. Data that an organization considers appropriate for cloud-based use can be encrypted with keys that the cloud provider holds, enabling the full range of cloud services. Data that requires maximum protection can be encrypted with company-held keys, rendering it unreadable by the cloud provider.

PKWARE's automated data security technology provides an ideal solution for HYOK encryption. PKWARE can detect data that requires HYOK protection as soon as it appears on a server or user device, and encrypt the data with a company-controlled key before it travels to the cloud. To learn more about PKWARE's encryption capabilities, explore our industry-leading key management technology, or schedule a consultation with a data security expert today.