5 Reasons to Maintain Control of Your Keys When Encrypting Data in Cloud

By on Nov 01, 2016

The recent debate between the FBI and Apple helped to bring data privacy, a hotly contested issue, once again to the forefront of public consciousness. In fact, the issues of data privacy and cybersecurity were among the key points debated in the U.S. Presidential election, especially with allegations that various state actors are conspiring to sway election results.

While the public got a chance to re-educate themselves on the data privacy issue, technology providers have clashed over this topic multiple times in the past. In fact, the market demand from enterprise customers increased to the point that multiple cloud providers including Amazon, Google, and Salesforce have extended their encryption capabilities to include customer-owned encryption keys or Bring-Your-Own-Keys (BYOK).

Previously, these cloud providers used to encrypt data but retained control of the encryption keys. By allowing enterprises to manage the keys, the cloud service providers have introduced another way for their customers to ensure security and privacy of their data.


The Cloud Encryption Handbook

Download this document to learn about encryption schemes that support search and sort, security/functionality trade-offs of each encryption schemes, and a framework for selecting the right scheme for you

Download Now

1. Control government access to corporate data

Enterprises that choose to encrypt data in the cloud with their own keys maintain exclusive control of their data when it comes to responding to government data requests. Cloud service providers periodically respond to ‘blind subpoenas’, where they are legally compelled to provide user data to government agencies without their customers’ knowledge.

In the first half of 2016, Google reported receiving nearly 45,000 requests seeking information on more than 76,000 accounts. In its transparency report, Twitter reported it had received 2,871 requests, a 40% increase in the number of requests from the previous year. Cloud service providers that hold the encryption keys have full access to all customer data on their platforms. When enterprises manage the keys, they are in the know when it comes to government data requests, and can respond in whatever way they choose to.

2. Regulate the key management process

By managing their own keys, enterprises can better protect their data and improve compliance. By formulating and adhering to internal policies on key rotation, enterprises ensure their data is protected in scenarios where keys are lost or compromised or when employees with master keys leave the company. Selected key management policies also allow enterprises to better comply with industry regulations. For example, PCI specifications recommend companies rotate their keys once a year.

3. Protecting against rogue cloud service administrators

Recognizing the risk of a ‘Snowden’ at a cloud provider, enterprises are looking for ways to increase protection against rogue administrators. When cloud service providers encrypt data with their own keys, there is a possibility of unauthorized access by an administrator who may be misusing privileges. By using their own encryption keys, customers minimize this risk as cloud service employees only have access to encrypted data.

In the past, cloud service providers discouraged the use of encryption by customers as it disabled functionalities such as search and sort, which restricted many solution capabilities. But advancements in cryptography have provided ways to encrypt data while preserving end-user functionality, which has enabled companies like Salesforce, Box, and Amazon to provide the BYOK option to their customers.

4. Maintaining client data confidentiality

Companies such as law firms and consulting firms, which are bound by stringent client confidentiality agreements, are often conflicted about adopting cloud services because in doing so they potentially expose their data to third party access. By encrypting their cloud data using their own keys, these firms can restrict access to only authorized users, thus adhering to their confidentiality commitments while also taking advantage of the benefits of cloud services.

5. Comply with data protection legislation and regulations

There are many laws and regulations covering data protection of personal and health data and they all state that organizations should implement appropriate safeguards to keep risks low. Some go as far as referring to encryption as a positive measure to deploy. For example, the new EU General Data Protection Regulation specifically recommends that encryption can mitigate risks. It also states that when personal data is exposed that is encrypted, the incident does not trigger notification requirements since the data is not accessible to third parties.

As cloud usage grows exponentially, enterprises are increasingly using Cloud Access Security Brokers (CASBs) to secure usage and data in the cloud. CASBs act as control points between users and cloud services to provide visibility into cloud activity, enforce compliance policies, detect threats from insiders and compromised accounts, and protect data with access controls and encryption.

For companies looking to encrypt cloud data with their own keys, CASBs act as key brokers, integrating with the company’s key management server and facilitating the secure transport of the keys to the cloud service provider without manual intervention. An example of this is the recent collaboration of Skyhigh with Salesforce in their announcement of the ‘Bring Your Own Key’ capability as part of their Shield offering. As the key broker, Skyhigh enables customers to use and rotate their keys across multiple Salesforce orgs. This capability reduces administration overhead, minimizes human errors, and ensures corporate data is protected within the Salesforce cloud.

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs