Thales Blog

Cloud BYOK: Best Practice or Business Imperative?

June 2, 2020

Eric Wolff Eric Wolff | Senior Product Marketing Manager More About This Author >

And, introducing CipherTrust Cloud Key Manager Support for IBM Cloud

Two of the main take-aways from the Shared Responsibility Model for cloud computing as stated by Amazon Web Services (AWS) and Microsoft Azure are:

  • Cloud consumers are responsible for data security; and,
  • The acknowledged best mechanism for securing data in the cloud is by encrypting it.

Fortunately, most major IaaS and PaaS providers, plus a few SaaS providers, offer encryption for many “classes” of data at rest. Some providers simply encrypt everything at the storage level, while others require the cloud consumer to “turn on” encryption. As you probably know if you’re reading this blog post, data is encrypted by (a) a key and (b) an encryption algorithm.

Cloud providers make their native encryption offerings as simple as they can. For many providers, the cloud consumer can just turn on encryption and not bother with the keys. Meanwhile, cloud is still a “young” industry, and reliable sources regarding cloud security are few. But one I trust for cloud security best practices is the Cloud Security Alliance and their Cloud Controls Matrix, which states in section EKM-04:

Keys shall not be stored in the cloud (i.e., at the cloud provider in question), but maintained by the cloud consumer or trusted key management provider. Key management and key usage shall be separated duties.

Here, the leading unbiased source for cloud security best practices is telling you to somehow manage your cloud provider encryption keys off the cloud.

We’ve come a long way, but still have work to do

So, that’s best practice, but when does a best practice become a business imperative?. Let’s take a high-level look at IT history to help understand this a bit better:

  • The oldest data protection tool is data backup, realized as a “best practice” as far back as the early 50’s, driving the rapid evolution of tape backup devices
  • By the 80’s, regulations emerged requiring “data retention” and “data backup”. Data retention, for the benefit, for example, of legal discovery, is enforced by laws in many countries, states and provinces.
  • Debuting meaningfully after 2000, enterprise-class encryption (which requires encryption key management) for data protection is incredibly young compared with backup.
  • After 2000, regulations that mandate encryption but don’t mention key management are present.
  • Meanwhile, during this time as well, there are key life cycle management recommendations, such as from the National Institute of Standards and Technologies (NIST).

Based on the history of backup, I think we can expect key management recommendations to become mandates over time, perhaps even with legal enforcement later. This should prompt enterprises to ask-- if it’s going to be a mandate soon, isn’t it a business imperative now?

And another thing…

As Steve Jobs used to say, “and one more thing”: A couple of weeks ago, we released CipherTrust Cloud Key Manager v1.7 with cloud key life cycle management support for IBM Cloud’s “Key Protect” key management system. Adding IBM was important to us, especially based on findings from the 2019 Thales Cloud Security Study, where polled users identified IBM Cloud as one of the three top providers! In case you’re counting…from my previous blogs announcing new supported clouds: we’re now up to eight!

Related Articles

No Result Found