With the current slate of headlines putting the spotlight on cloud data security, two prominent organizations in that sphere recently issued updated best practices for protection of data stored and processed in third-party clouds. The common link: encryption.
In both the Cloud Security Alliance's updated Cloud Control Matrix and the National Institute of Standards and Technology (NIST) September Interagency Report, encryption key management, in particular, features prominently:
"Strong encryption (e.g., AES-256) in open/validated formats and standard algorithms shall be required. Keys shall not be stored in the cloud (i.e. at the cloud provider in question), but maintained by the cloud consumer or trusted key management provider." -- CSA CCM v3, Encryption & Key Management "...in all architectural solutions where cryptographic keys are stored in the cloud, there is a limit to the degree of security assurance that the cloud Consumer can expect to get, due to the fact that the logical and physical organization of the storage resources are entirely under the control of the cloud Provider." -- NIST Interagency or Internal Report 7956 (September 2013)
If you don't want "ghouls" stealing your customer data or government "spooks" twisting your cloud provider's arm to hand over information, it's crucial to retain ownership and control of encryption keys. In fact, while doing encryption key management in-house may seem down in the weeds, allowing someone else to hold your keys has direct consequences on the business. I argue that key management should be a priority agenda item not just for the chief security officer but also CEOs and boards of directors, especially for any company that stores or processes data in the cloud. What recent headlines have reinforced is the simple fact that the person or entity that controls and manages the encryption keys has effective control over the data. It really is that simple. When nobody else has the encryption keys, any entity seeking to decrypt data needs to demand the keys directly from the data owner.
With direct control of encryption keys, businesses may also:
-- Maintain their compliance responsibility for adequate data protection safeguards
-- Address data residency and privacy regulations for data stored and processed in the cloud
-- Respond directly to government and law enforcement subpoenas for cloud data
-- Implement and enforce best practices for securing and governing cloud data
Three Data Security Tricks
While holding onto the keys is critical, any approach to protecting data in the cloud must incorporate three other elements to ensure its effectiveness:
-- First, encryption must be invisible to the end user, both to ensure that the business gains the full productivity benefit of the service and also to ensure that users aren't motivated to find ways around security measures because they get in the way of business processes. Simply, it needs to be a part of the existing workflow and remain frictionless for the user.
-- Second, data must be persistently encrypted throughout its life cycle, whether in transit, at rest or in use.
-- Third, the encryption scheme must be watertight. If the encryption itself is easily broken, who holds the keys no longer matters. The 256-AES algorithm should be non-negotiable. Anything else isn't strong enough.
So as October rolls on and we read more about cybersecurity issues, stay grounded in the fundamentals and control the things you can control. While it's impossible to guarantee you'll never be the target of a cyber attack, you can put yourself in the best position to defend, deflect or mitigate it. And with data, what you can control is encryption keys -- whether data is on-premises or in the cloud.