Cloud Encryption: Bring Your Own Key Is No Longer Enough
‘Trust’ can be both a terrific enabler and a severe inhibitor in cloud services adoption. Keen to benefit from the cloud’s promise of flexible and scalable on-demand computing, businesses everywhere continue to migrate increasing volumes of critical data off-site and into the hands of third party cloud service providers. Each time this happens, however, they must answer the same question: what guarantees do I need before I can trust this provider to protect my data?
Who holds the power to access a firm’s private data in the cloud is a big and thorny issue. Hosting services operate, by definition, across borders whereas the regulations that grant nation states and other third parties power-of-access, do not. Governing authorities around the world therefore vary in their ability to compel cloud service providers to sacrifice customer privacy and comply with their access demands.
As a result, encryption now has a major role to play in the security process. Companies that trade in confidentiality, banks for example, commonly use encryption as a defense against third party intervention from nation states and cybercriminals alike. When rolled into their cloud provider’s managed service contract, however, encryption actually does relatively little to reassure: if the provider can already be strong-armed into granting access, surely they can also be compelled to relinquish their encryption keys, making life pretty awkward for everyone involved. Nonetheless, a study from Ponemon Institute & Thales, revealed that 37% companies worldwide still rely on their cloud providers to generate and manage both the keys and the encryption process.
‘Bring Your Own Key’ (BYOK), where the end-user independently generates, backs up and submits its own encryption keys, neatly addresses this concern. If the service provider doesn’t have access to the key in the first place, it can’t be compelled to hand it over, meaning that the user’s data will remain encrypted no matter who tries to access it. Sadly, BYOK creates another set of problems. Assuming sole control over an encryption key, however, is a hefty responsibility. Loss or error could prevent a business from decrypting its own data, resulting in paralysis. Theft of the encryption key puts the entire security operation in jeopardy, meaning that the user’s back up process must itself be subject to high-security measures. What’s more, if the key is lost or stolen, help is very hard to come by. The service provider, having already been relieved of their key liability, is powerless to assist. In many ways BYOK replicates the problems associated with more traditional usernames and passwords. Key ubiquity, like password ubiquity, replaces one security headache with another: should there be a key to all the keys? How is that key secured? And so on.
BYOK poses operational challenges, too. Once the user’s key has been created and submitted to the service provider it can’t be retrieved, or at least not easily. Security best practice also dictates that each individual cloud service should have its own unique key. Where vast stores of data are concerned, risk mitigation policies encourage firms use a variety of keys and to spread their data between several providers, each of which will have its own unique blend of encryption engines, protocols and messaging formats. This situation is worsening too: Forrester predicts that the practice of blending multiple cloud models will increase in 2017 and calls on companies to take specific steps to secure their whole environment.
When combined, these factors add up to a complex and multi-faceted BYOK challenge, of which nothing less than bullet-proof management is acceptable.
Fortunately, demand for what could now be called ‘Manage Your Own Keys’ (MYOK™) can be well supported by specialist software, purpose-designed to put users back in the driving seat. These platforms enabling users to control and manage the entire lifecycle of their own, unique portfolio of keys; generating, storing, deploying, retrieving, backing-up, restoring, revoking and updating as they go.
Such systems also arm users with the capability to expand their use of encryption. Today’s large enterprises invariably use a host of different cloud models – public, private and hybrid amalgamations of the two. MYOK™ systems enable users to address them all with cryptography, creating and managing keys regardless of their required shape, form and destination. This is democratizing what has, until now, been regarded as a complex and highly technical security process.
This is just the beginning. The number and variety of uses for encryption keys is exploding. Having begun life in network management and financial services, encryption and other cryptographic functions are fanning out rapidly, to secure data created by smart devices, connected cars, intelligent building systems and all manner of other connected consumables that together comprise the Internet of Things.
There is little doubting the level of enthusiasm for cloud-based data storage and transmission services. The big problem has been that major stakeholders have had a hard time balancing their need to guarantee security, control and confidentiality with the huge gains that the cloud can deliver in terms of flexibility, scalability and operational agility. Key management platforms enable this balance to be struck, reducing time to market for those delivering cloud-dependent products and services while, at the same time, ensuring they remain the sole proprietors of their data, regardless of where it is kept or how it is transmitted.
If the encryption industry is to avoid replicating the mistakes of the username and password model, it must promote an approach that has secure key management at the center. Only then can the full promise of the cloud be realized, finally unburdened by issues of trust.
NB: MYOK™ is a registered trademark of Cryptomathic Inc.