Keeping your corporate crown jewels under lock and key can be harder than it looks. In this first in a new series explaining the secrets of the cloud, we take a look at the murky world of cloud encryption – why you need it and how best to implement it.
One of the things many organisations fail to understand when farming their workloads out to the public cloud is that responsibility for data security ultimately resides with them, not their provider. Sure, cloud service providers are beginning to realise they can differentiate by offering more secure propositions, but be in no doubt that if your organisation’s trade secrets, customer data or sensitive IP go walkabout, it’ll be the chief information security officer’s head on the block.
“When you go with cloud services, you are giving up control,” says Forrester analyst Rick Holland. “The historical ‘control’ for this has been contractual agreements. Agreements aren’t controls and may not satisfy regulators investigating the loss of data that you are still responsible for.”
So what’s to be done? Most security experts, including Holland, seem to agree that encryption is a must-have if you want to keep those crown jewels under lock and key. “Cloud encryption provides companies an option to say ‘yes’ to the cloud, yet still ensure the confidentiality of their data.”
Yet there are a few caveats. Namely, it can be prohibitively expensive and difficult to implement, otherwise everyone would be doing it.
Here are a few tips to ensure you don’t fall flat when implementing cloud encryption.
Do your homework
Encrypting data in the cloud isn’t easy. It pays to take time out to research all the options available. Follow up with your encryption vendor of choice to make sure they answer all your questions. It’s vital you get the strongest, standards-based solution possible – homomorphic key management is a good shout.
Keep control of your encryption keys
If your provider has the encryption keys, they could theoretically decrypt and read all your information. Now, realistically this isn’t going to happen, but what if they were compelled to do so by law enforcement, or the likes of the NSA? It’s not beyond the realms of possibility, so if you’re all about minimising risk – and you should be – then keeping the encryption keys within the organisation is the way forward. Just make sure you don’t lose them.
Okay, so you’ve done all the hard work, but remember, encryption isn’t just about keeping the bad guys out. In our leaky, post-Snowden world, your employees also represent a significant risk. So manage that risk by enforcing an access policy of least privilege, and train your staff to understand how to manage encrypted data.