Thales Blog

RSAC 2020: Trust in the Cloud. What Should You Do with Your Encryption Keys?

February 17, 2020

Sol Cates Sol Cates | Principal Technologist, Data Protection More About This Author >

In the past decade, businesses started evaluating the pros and cons of moving to the cloud in order to meet the increased demand for the cost and IT efficiency benefits of cloud computing and Software as a Service (SaaS). Many businesses subsequently adopted a Platform as a Service (PaaS), Infrastructure as a Service (IaaS) or SaaS model, thus positioning the cloud as the foundation for digital transformation. In the process, however, they embraced a large number of connected devices and IoT platforms, which means that additional data and processes are now moving outside of the firewall and into the cloud. This presents a security risk to businesses.

The need for strong security in the cloud is a factor that can either slow or speed movement to the cloud, depending on workload and other needs. As such, security professionals need to tackle certain security challenges associated with the cloud head-on. In particular, they need to address the challenge of cloud key management.

Businesses oftentimes struggle to manage their use of multiple cloud vendors such as AWS, Google Cloud Platform and Microsoft Azure. When it comes to data security, more organizations are tempted to use cloud native encryption and key management services because it’s simple and easily available. This decision comes with many challenges.

Just Good Enough Security is Not Good Enough

One issue is that cloud native encryption and key management services provide just basic data security. Cloud services need to afford the same level of policy, control and visibility as the on-premises delivered services. Many organizations can’t rely solely on the services offered by key management tools built in the cloud platforms. These tools are very good at provisioning keys for the development teams, but when it comes to policy compliance, particularly for sensitive data or data under the purview of the latest privacy mandates such as the California Consumer Privacy Act, there are many gaps that may jeopardize a seemingly simple key management strategy.

Furthermore, leaving key control and management to cloud providers presents potential security risks and data ownership issues. It’s simply not a good idea to get locked into a single cloud vendor. Cloud computing has revolutionized the ways that companies do business. However, this increased reliance on cloud computing also comes with the risk of dependency. By making your company more flexible and adaptable, being cloud agnostic inoculates against the risk of vendor lock-in.

Sensitive Data at Risk

From an operational standpoint, the use of multiple cloud key management services translates to decentralized key management, which is a definite no-no when it comes to security best practices. Unfortunately, this rush to cloud native encryption and key management has put sensitive data at risk as evidenced by the multitude of data breaches we have witnessed over the past couple of years.

Finally, if your on-premises policies, methodology, controls and visibility are well-tested and well-implemented, why should you change them? Successful on-premises best practices will be just as successful when you extend them into the cloud.

The good news is that there are emerging options available for security professionals, but the trick is determining which one works best for their organization to ensure data is protected, brand trust is retained, and shareholders are appeased. Never before has maintaining access and control of keys been so important, especially given the financial implications (which may or may not include non-compliance fines) from a data breach.

Challenges, Choices, Capabilities and Changes

During the upcoming RSA Conference 2020, I will be discussing the best practices for cloud key management to minimize risk. My objective for the audience is as follows: 1) understand the challenges and pitfalls associated with cloud key management, 2) learn about the various options available, 3) identify the right fit for your organization, and 4) evaluate how to adopt changes internally. To meet these objectives, I will be highlighting the four “C’s”: Challenges, Choices, Capabilities and Changes.

If you are attending RSA Conference in San Francisco next week, grab a cup of coffee and join me in this discussion on Wednesday, February 26 at 8:00 a.m. in the North Hall Briefing Center. Or stop by Thales’s RSA Conference booth #N5445. Before the show, you can claim your free conference pass by clicking here and entering code XS0UTHALE.