Thales Blog

How better key management can close cloud security gaps troubling US government

February 29, 2024

クリシュナ・クシーラブディ Krishna Ksheerabdhi | VP, Product Marketing More About This Author >

In my first blog on this topic I noted a Treasury Department report released last year listed six cloud security challenges financial sector firms face. I argued that the recent hacking of US Government networks demonstrates that all organizations storing sensitive data in the cloud face these challenges. Thales can help address the following four challenges:

1. Gaps in human capital and tools to securely deploy cloud services.

2. Exposure to potential operational incidents, including those originating at a CSP.

3. Dynamics in contract negotiations given market concentration. The limited number of CSPs may give CSPs outsized bargaining power when contracting with financial institutions.

4. International landscape and regulatory fragmentation.

Gaps in human capital and tools to securely deploy cloud services

The Treasury’s point here, as stated in its news release on the report, is the “current talent pool needed to help financial firms tailor cloud services to better serve their customers and protect their information is well below demand.” The report puts the onus on CSPs to “increase employee engagement experts, and to improve supportive technological tools and adoption frameworks that can help ensure that financial service firms design and maintain resilient, secure platforms for their customers.”

Still, any organization can strengthen its security in the cloud by tightening its own control over sensitive data. The first step is to know what sensitive data you have and where it is.

Thales CipherTrust Data Discovery and Classification helps your organization get complete visibility into your sensitive data with efficient data discovery, classification, and risk analysis across heterogeneous data stores--the cloud, big data, and traditional environments--in your enterprise. It allows you to get a clear understanding of what sensitive data you have, where it’s located, and its risks of exposure. With rich visualizations and detailed reports, you can more easily uncover and close your gaps, make better decisions about third-party data sharing and cloud migration, and proactively respond to data privacy and security regulations including GDPR, CCPA, LGPD, PCI DSS and HIPAA.

Having discovered your sensitive data, the next step is to protect it, and in the cloud, that means protecting your keys. Indeed, as Microsoft wrote in a blog “the China-Based threat actor, Storm-0558, used an acquired Microsoft account (MSA) consumer key to forge tokens to access OWA and” This hack included US Government networks.

Thales offers vendor-independent encryption and key management services. We collaborate and innovate with CSPs and our customers to increase efficiency and operational resiliency across vendors in the cloud and on premises. CipherTrust Cloud Key Management (CCKM) protects your time as well as your data with a single pane of glass view across regions for cloud native, bring your own key (BYOK) and hold your own key (HYOK) keys and one straightforward UI to manage all cloud Key Management Services.

Bring Your Own Key (BYOK) is an encryption key management system that allows enterprises to encrypt their data and retain control and management of their encryption keys. However, some BYOK plans upload the encryption keys to the CSP infrastructure. In these cases, the enterprise has once again forfeited control of its keys. A best-practice solution to this BYOK problem is for the enterprise to generate strong keys in a tamper-resistant hardware security module (HSM) and control the secure export of its keys to the cloud, thereby strengthening its key management practices. HYOK, also known as bring your own encryption (BYOE), takes this a step further by enabling organizations to encrypt data before sending it to the cloud and never sending the keys to the cloud. These techniques greatly reduce the likelihood your organization will be subject to a data security incident in the cloud. Compared to the native encryption solutions available from cloud providers, Thales BYOK and HYOK solutions give you higher confidence that your data is secure and that you are compliant with mandates by delivering:

  • High-performance AES encryption enhanced by hardware acceleration and granular access control policies, including privileged user access control. BYOK and HYOK controls who can see specific data, through what process, and at which specified times.
  • An architecture that secures unstructured files, structured databases, and big data environments, and enables you to migrate data between cloud environments and on-premises servers without the time and cost of decryption. For additional granular controls and meeting a larger breadth of regulations, we provide format preserving or traditional encryption or tokenization with applications using RESTful APIs or the industry’s most powerful and secure encryption libraries.
  • Simplified key management across on-premises and multi-cloud deployments by centralizing control on CipherTrust Manager

BYOK and HYOK extensions enable use of data during encryption and rekeying operations with Live Data Transformation or, to isolate and secure container environments by creating policy-based encryption zones. Our BYOK and HYOK solutions monitor and log file access to accelerate threat detection with Security Intelligence Log integration with popular SIEM tools.

Exposure to potential operational incidents, including those originating at a CSP

The Treasury’s news release elaborates on this saying: “Financial institutions are still exposed to risks associated with technical vulnerabilities at CSPs and face practical challenges to mitigating such risks or migrating their operations to another provider.” The recent Chinese hack using an MSA consumer key is an unfortunate example of this.

Once again, the best way to secure your sensitive data, regardless of your industry, is to take more control over securing your data. In November, 2021, I blogged about a situation just like this: the CosmosDB/Chaos DB vulnerability.

Our internal testing uncovered that Thales's [HYOK] would have thwarted the CosmosDB/Chaos DB vulnerability. That vulnerability worked because it gave access to Cosmos DB primary keys that inherently allow usage of encryption keys that were created as a part of the CSP's encryption process. Thales [HYOK] would have protected the data because the data would have been encrypted before being sent to the cloud, and the keys would have remained in the CSP customer's hands, separate from the CSP encryption. So, hackers would never have had access to the key necessary to decrypt the data.

Dynamics in contract negotiations given market concentration. The limited number of CSPs may give CSPs outsized bargaining power when contracting with financial institutions

This, too, is about not yielding too much control over your data to your CSPs. At Thales we advocate digital sovereignty, which includes data, operational, and software sovereignty.

Data sovereignty is about protecting your data from subpoena and keeping your data private and compliant with regulations like GDPR and CCPA.

International landscape and regulatory fragmentation

The Treasury Report summarizes this issue as follows:

The patchwork of global regulatory and supervisory approaches to cloud technology can make it nearly impossible for U.S. financial institutions to adopt cloud consistently at a global scale, reducing CSP use in the market and raising costs for cloud adoption strategies, which ultimately impacts consumers. Additionally, changes in regulations abroad may subject CSPs to direct oversight by foreign financial regulators, which could create regulatory conflicts negatively impacting the quality and security of services to all CSP clients.

Our customers who are most concerned about digital security and compliance seek out industry best practices and use them. They also seek out the most stringent international government regulations and comply with them. That way they tend to have a robust digital security posture in front of the curve. Of course, they revise frequently.

Those organizations that quickly complied with GDPR were already well prepared for the regulations of numerous countries that created data privacy laws similar to GDPR, including Argentina, Bahrain, Brazil, Canada, Israel, Japan, New Zealand, Nigeria, South Africa, Turkey, Uganda, and more.

Among the best practices called for in GDPR and other international data security regulations are those I discussed above regarding Thales’s HYOK and BYOK solutions.

With regards to data residency requirements, Thales enables organizations to maintain GDPR and other data residency compliance using a trusted privacy framework for protecting international data flows that follow these overarching principles.

  • Discover and classify your sensitive data wherever it resides. That way you know what needs to be protected and then apply the appropriate security measures as outlined by GDPR.
  • Protect sensitive data using robust encryption. This means protecting data stored in on-premises data centers, and in the cloud, and ensuring that it is not exposed to unauthorized users inside and outside the data’s country or origin.
  • Control access to the data by creating, storing, and managing the encryption keys in the country of the data’s origin and maintain control over who has access to the keys to decrypt sensitive data.


The US Government is right to be concerned about the security implications of the cloud, but these implications should be cause for concern for any industry or government agency that stores sensitive or regulated data in the cloud. Organizations with sensitive data in the cloud can strengthen their security posture by holding control of their data security as closely as possible. Thales’s HYOK and BYOK products are specifically designed to help with this.