Drive to Pervasive Encryption Boosts Key Management

As cloud infrastructure and compliance regulations become more complicated, companies are looking to simplify data security by adopting more pervasive encryption of sensitive data and consolidating key management into a single repository or service.

On March 22, email and file security firm Virtru became the latest data-protection firm to offer customers a single vault for key management, when it announced a private keystore that works with Google Workspace, Google Cloud, and the company's other products. The product manages encryption keys, configures policies, and allows audits of access to encrypted data.

Virtru had already offered encryption for email and files stored in the cloud, but the sensitivity of data and need for complying with government requirements led customers to ask for a "hold-your-own-key," or HYOK, capability, says Mike Morper, senior vice president of product at Virtru.

"We have customers that have come to us, who ... want to ensure absolutely no entity other than the intended recipient has access to [a particular piece of] information," Morper says. "We first started hearing this rooted in a lot of data-sovereignty conversations, particularly with some of our customers in Europe ... and it was paramount to them that they would have the ability to manage their own private keys."

As companies increasingly look to protect data with pervasive encryption, consolidated key management is coming into its own. Currently, 62% of companies have an encryption policy that is consistently applied, up from 50% in 2021, but more than half of companies still have trouble identifying all sensitive data, and 59% of businesses find key management to be very painful, according to Entrust's "2022 Global Encryption Trends Study."

Moreover, a set of headaches — including managing keys, limiting who can access data, and auditing that access — have grown more severe as companies need to comply with privacy regulations from multiple countries and ensure the security of data across multiple clouds, says Kevin McKeogh, vice president of product management for data protection solutions at Entrust.

"Encrypting data is easy. Managing the keys that are used to encrypt the data is what becomes increasingly challenging for organizations as they scale operations," he says. "With a growing volume of data now processed across distributed systems — on-premises and in multicloud environments — organizations need to maintain control of the keys to ensure data is protected and available to the applications that need to use the data, and to stay compliant to regulations."

Key Management Plus Granular Access Control

Take the move to multiple clouds — a significant operational challenge for data protection systems. By 2024, international data residency and privacy requirements will push more than 40% of organizations to adopt a third-party, multicloud key-management-as-a-service (KMaaS) offering instead of relying on the bespoke key management services offered by many cloud providers, states a Gartner report on KMaaS offerings commissioned by Thales, a data-protection provider.

The challenge of managing encrypted data, permissions, and access lists across multiple clouds and their associated key management systems has resulted in at least half of companies encrypting less than 40% of their sensitive data in the cloud, according to the "2022 Thales Data Threat Report."

"The typical enterprise has at least five different key managers deployed, so key sprawl is an issue," says Todd Moore, vice president of encryption products at Thales. "This complicates things like key rotation and retiring keys. The best practice is to have one centralized key management platform that can support the vast majority of your key management operations."

A central vault for sensitive keys can help make even complex situations simpler. This year, for example, at least 81% of companies are expected to use multiple cloud infrastructures, up from 60% in 2022, according to Forrester Research's "Unlocking Multicloud's Operational Potential" report, commissioned by secrets management firm HashiCorp. For those companies, encrypting data across cloud services and using a centralized vault to manage access to that data through keys allow for more control.

In addition, companies that rely on a single cloud provider's key management solution may be at greater risk. Privacy and data-protection regulations, such as the European General Data Protection Regulation (GDPR) and the Payment Card Industry's Data Security Standard (PCI-DSS), explicitly require — or heavily imply — that encrypting sensitive data is necessary and that self-custody of keys is preferred, says Andy Manoske, principal product manager for cryptography and security at HashiCorp.

"This is especially the case if data sovereignty requirements attempting to protect against a privileged adversary within a client's cloud service infrastructure are at play," he says. "While an adversary may not be able to compromise that key management system, they could render it inoperable if they have privilege within a single cloud hosting both data encryption and key management."

Private Keystore or Key Management as a Service?

While a private keystore is a solution, it is not the only one. Key-management services that provide HYOK can satisfy government regulations and business security requirements, while still giving companies the expertise and support they need to manage a complex task. Keys need to be protected, but defenders must understand the company's threat model and what types of attacks are likely in order to best select the appropriate encryption technologies.

Deploying encryption and maintaining a private keystore require some deep expertise within a company, Manoske says.

"Private keystores usually provide flexibility in how keys are retrieved and used for cryptography — a flexibility usually necessary when deploying cryptography within high-performance applications with significant automation," Manoske says. "This flexibility comes at the cost of usually requiring more sophistication from the defender in protecting against side-channel attacks — attacks that 'go around' the mathematical protections of cryptography to tamper with or steal keys."

While a company can retain ownership of critical keys, some KMaaS offerings can simplify the business' data security and provide necessary capabilities, such as access control and auditability, says Virtru's Morper.

"That's the hard part and, frankly, probably where the preponderance of adoption and friction come into play," he says. "So it really starts to become a balance for organizations. It's a security-policy decision and a business decision they need to make — what level of friction is appropriate and against what degree of risk?"