Digital Transformation is leading to a growing trend in the adoption of cloud journey and multi-cloud strategy for the organizations. With workloads moving in the cloud, the concerns regarding data security and privacy have been the major focus areas for the organizations today.
Leading cloud providers illustrate on their websites the shared responsibility model for their users/customers where data security is the responsibility of cloud customer and not the cloud service provider. Whether you are going for IAAS, PAAS or SAAS, the data and security of data is the customer’s responsibility.
Also if you want to encrypt the data in the cloud, these CSP (Cloud Service Providers) natively support key management but the issue is that you don’t own the keys to the data. Owner of the keys is the cloud provider. That means CSP can look into your encrypted data which is not good and no organizations will want that.
Besides the above key issue there is other “functional” problem with using Cloud Service Provider (CSP) key management as mentioned below:
Encryption Key Visibility: CSPs portals provide limited visibility key management and access by their users and by the CSP privileged users.
Data Loss Risk: Insufficient authorization control or DR services to ensure keys are not accidentally or intentionally deleted.
Also when a request to delete cloud resource is made, this may not result in the true wiping of the data either because extra copies of data are stored but are not available or because the disk to be destroyed also stores data from other clients.
Attaining Compliance: Internal and external regulations require that encryption keys should be in control of cloud user than CSP.
Key Lifecycle Management: Native CSP key management services have limited ability to automate the lifecycle of keys, especially across multiple subscriptions.
A lot of manual interventions are there which is prone to human error and complications.
One of the major regulatory guidelines and security best practices call for “Decoupling of the encryption keys from data sets”. This means that Encryption Keys should always be segregated and separately managed from Application Owners in a certified Key management Solution (FIPs 140-2, level 3 above).
Above points are major reasons for organizations to consider a new approach and new controls being implemented while embarking on this cloud journey.
These new controls are:
Bring your own encryption (BYOE) – This gives you total control over securing your data in the cloud (for IAAS, PAAS scenarios).
Here you don’t use the native encryption technique provided by CSP but bring your own protection measures.
Bring your own Keys (BYOK) - All leading CSPs offers data at rest encryption and key management, but data protection mandates require that the keys are stored and managed by customers/users.
The CSP (cloud service providers) fulfil this requirement by enabling customer key control. This allows for creation, ownership, separation and control including revocation of encryption keys. This approach is called Bring your own key (BYOK).
Thales is a global leader in addressing the data security concerns for data on-premise and cloud and provides a single platform to discover, protect and control your sensitive data.
Trescon and Thales bring together a fireside chat session to discuss further with the eminent leaders from the industry on the above concern areas and way forward to this new multi-cloud trend.