> Cloud security requires cloud-based key management
> Take control of your encryption keys and cloud security
> Encrypt data in the cloud while retaining full control over encryption keys to meet corporate and regulatory compliance requirements
More and more organisations are asking to encrypt their data in business-critical SaaS (software as a a service / cloud) applications such as VMware or AWS Marketplace, Salesforce, ServiceNow, and Microsoft Office 365 with customer-managed keys.
The Challenge
If you
are like most people, you lock the front door and take your keys with you.
After all, the point of locking the door is to keep unwanted intruders out of
your home and to protect your valuable belongings.
In the
cloud-security world, the act of encrypting data, while it’s in storage, in an
application, or in transit, is a lot like locking the door to your home. By
turning your plain text data into a string of code that can only be opened with
a specific key, you’re keeping that sensitive data safe from unauthorised users
who can turn around it use it for nefarious purposes.
The problem though, is that many organisations do the
equivalent of leaving the key in the front door by storing the encryption keys - in plain sight - on the same servers as the data. Usually, these keys are in
either Microsoft Excel or config formats, meaning that hackers know exactly what
to look for and can often steal your data before you even realize that they
have gained access to it.
The shift to the cloud has only served to further complicate
the issue of encryption and encryption keys. With so many companies relying on
vendors to provide cloud security, there are often questions about what is
being done to ensure data protection and who is responsible for encryption
keys.
Allowing cloud service providers to manage encryption keys is very unpopular for several reasons:
Allowing cloud service providers to manage encryption keys is very unpopular for several reasons:
- Allowing a third party to have access to certain types of data (HIPPA, PCI-DSS, etc.) is a violation of many laws and compliance regulations, even if that data is encrypted.
- Standards including Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, Payment Card Industry Data Security Standard (PCI DSS), Gramm–Leach–Bliley Act, and European Union (EU) Data Protection Directive all require that organisations protect their data at rest and provide defences against threats.
- Recent data breaches involving large cloud-service providers have companies worried about the security of their data and the encryption keys.
- Vendors storing encryption keys and data outside of the UK raises concerns about data protection and privacy, most notably whether the data is fully protected when outside of the country.
- When a vendor encrypts data and holds the key, they may be able to supply that data to the government to comply with a court order, even without the company’s knowledge.
- Disputes, cyber attacks, and outages or downtime could prevent the company from accessing its own data.
Solution
A cloud-based, hardened third-party key management provider
that gives you complete control over the storage of your keys, as well as the
ability to rotate and manage multiple keys for different devices and platforms.
- Full disk encryption
- Database encryption
- File system encryption
- Distributed storage encryption
- and even row or column encryption.
Hourly or annual subscription-based offerings are better suited for operating expenditure (op-ex) models, versus capital expenditure models (standard hardware purchases) that require upfront payment.
Bring Your Own License (BYOL) for AWS Market place enables the purchase of Connector licenses.
Key Management
Key management for encryption and authentication in the 'cloud' is modelled after a bank lockbox system, in which both parties hold part of the key.
The encryption and authentication keys are mutually shared between the customer and the Cloud. Consequently, neither has full, unencrypted access to any data on the cloud independently.
Deployment Options
Either as a hardware appliance or a virtual security appliance (a hardened virtual server).
Hosted anywhere: on a virtual machine such as VMware or rented from a service-- such as AWS Marketplace.