Page 100 - October 2022 Issue 611 Part 1
P. 100
É`«Lƒ`dƒ`æμJ
The challenge of shared responsibility in the cloud – Whose keys are they, anyway?
by Sebastien Pavie, Regional Director for Data Protection at Thales
Key management – the processing, manage- Barriers to multi-cloud data protection
ment and storage of keys for who can
decrypt and access protected information – is an When it comes to cloud security and efficient key
often-overlooked, and yet critical element of management, there are a number of major pain
encryption. Many organisations left that part up to points organisations face today that prevent them
their vendors or stored them inconsistently across from taking full advantage of the potentials offered
their IT infrastructure in both hardware and soft- by cloud platforms.
ware. This lack of centralized control can jeopar- 1. Lack of visibility into security and encryption
dize the integrity of encryption. In fact, the man- practices. With CSPs providing limited visibility
agement of the keys is more important than the and access on encryption practices and
encryption itself, because if something happens schemes, organisations’ risk management teams
to the keys, entire sets of data can be stolen or are reluctant to allow the storage of sensitive and
lost, and there’s nothing you can do about it. mission critical data in the cloud due to high
The fact that major cloud heavyweights are diving impact in case of a data breach.
into this technology is a sign that key manage- 2. Meeting compliance requirements. Security
ment is being taken more seriously. And rightly and privacy regulations mandate the use of state-
so. The ability to demonstrate control of data is of-the-art practices for securing the confidentiality
critical to meeting compliance mandates. But how and integrity of personal and sensitive data,
do you really own your data if you do not have total control and ownership requiring agility and strong control over key man-
of the keys? agement. Lack of such controls entail big regulatory penalties.
With every passing day, an increasing number of organisations are migrat- 3. Managing encryption keys across multiple cloud environments.
ing their sensitive data and business applications to the cloud for opera- Organisations are embracing multi-cloud strategies to avoid vendor lock-
tional flexibilities, cost efficiencies and quick scalability. To avoid vendor in. The use of cloud-native encryption and key management solutions is a
lock-in on a single cloud service provider (CSP), like Microsoft Azure, barrier to multi-cloud adoption.
AWS, Oracle Cloud, and IBM Cloud, many organisations are opting to 4. Custodianship of encryption keys. When organisations elect to use
work with multiple CSPs in a multi-cloud environment. cloud-native encryption services, the corresponding keys are being man-
As an increasing amount of critical data gets stored in the cloud, the aged by the providers. Not having direct control on the keys presents
prospect of cyber-attacks and data breaches rises exponentially. While potential risks and vulnerabilities in the case of a security or cryptograph-
most CSPs offer native data protection features, the “Shared ic incident.
Responsibility Model” dictates that the ultimate onus of safeguarding busi- 5. Managing, monitoring, and deploying multiple cloud native security
ness and customers’ sensitive data rests with organisations. While there tools. Since cloud-native key management services offer limited ability to
is a shared responsibility to secure data in the cloud, there is no shared automate the lifecycle of encryption keys, especially across multiple sub-
liability and the impact of potential security incidents jeopardising sensitive scriptions, organisations are forced to implement labour-intensive, error-
data remains the responsibility of the company and it is the company’s prone manual key management processes to meet their security
responsibility to ensure compliance with the relevant privacy regulations requirements.
such as the GDPR, the Schrems II ruling, PCI-DSS, HIPAA or CCPA.
While organisations are increasingly investing in perimeter security mech- The right approach to cloud data protection
anisms, they fail to adequately invest in encryption technologies that act
as the critical line of defence in the event of a cyber-attack. This is evident Lack of proper security and key management practices in a multi-cloud
through the ever-increasing incidents of sophisticated cyber-attacks that environment will only increase the organisation’s attack surface, with
result in data breaches costing organisations billions in losses. cybercriminals eager to take advantage of it as they get smarter and more
To minimise the impact of potential security incidents and to optimise sen- sophisticated. Luckily, there are many industry best practices, such as
sitive data protection, security and privacy regulations like GDPR, PCI- Bring Your Own Key (BYOK), Bring You Own Encryption (BYOE) and cen-
DSS, HIPAA or CCPA mandate the adoption of encryption. tralised and automated key lifecycle management that can optimise data
However, merely encrypting sensitive data in the cloud is not sufficient. protection in the cloud.
The Cloud Security Alliance recommends as an industry best practice for With cloud providers being responsible for the security “of” the cloud, and
storing information in the cloud to put the customer in control of both the organisations having responsibility for the security of their data “in” the
key management and the encryption process. Effectively managing the cloud, every CISO should ask the five pertinent questions below:
key lifecycle and being crypto-agile is paramount for establishing trust in 1. How do I maintain strong security controls of my cloud assets?
the confidentiality, integrity, and availability of your data. 2. Post-migration, what key management controls do I need?
To that extent, the EU Cybersecurity Agency (ENISA) points out that 3. How do I manage my personal and sensitive data risks?
client-side encryption is the only way to provide the customer with true 4. How do I manage my audits?
control over their data, while mitigating the risk of an unauthorised access 5. How do I meet regulatory compliance?
by third parties. NIST SP 800-144 adds that organisations should be “in Cloud security is important for your business prosperity. Thales’s multi-
control of the central keying material and configure the key management cloud security solutions offer a cohesive answer to each of these
components for cloud-based applications.” questions.
2022 (ôHƒàcG) ∫h’G øjô°ûJ - 611 O~©dG - ájOÉ°üàb’G ¿É«ÑdG 100
