With every passing day, an increasing number of organizations are migrating their sensitive data and business applications to the cloud for operational flexibilities, cost efficiencies and quick scalability.
Further, to avoid dependencies on a single Cloud Service Provider (CSP) like Microsoft Azure, AWS, Oracle Cloud, IBM Cloud, etc., many organizations are opting to work with multiple CSPs in a multi-cloud environment today.
As an increasing amount of critical data gets stored on the cloud, the prospects of cyber-attacks and data breaches raise manifold. While most CSPs offer data protection features, the ultimate onus of safeguarding customers’ sensitive data rests with organizations. Here is a quick snapshot of the ‘Shared Responsibility Model’ that is widely accepted across the world when it comes to data security.
While organizations are increasingly investing their IT dollars in perimeter security mechanisms like Antivirus, Firewalls, etc., they fail to adequately invest in encryption technologies that act as the critical last line of defense in the event of a cyber attack. This is evident through the ever-increasing incidents of sophisticated cyber attacks that result in data breaches costing organizations billions in losses.
To ensure zero loss of sensitive data, most data protection regulations like GDPR, PCI-DSS, RBI’s Gopal Krishna Committee Report, UIDAI Circulars and the upcoming Personal Data Protection Act in India have mandated the adoption of data encryption for optimal data protection.
However, merely encrypting sensitive data in the cloud is not sufficient. As an industry best practice recommended by the Cloud Security Alliance, organizations storing their data in the cloud should store and manage their encryption keys separately and remotely from the CSP’s encryption processes. The need to segregate encryption keys from encrypted data is also asserted by regulators like Institute for Development and Research in Banking Technology (IDRBT) and RBI in their respective Cloud Security guidelines.
Further, merely storing the encryption keys separately does not suffice. As encryption keys undergo multiple changes throughout their lifecycle, efficiently managing them at each juncture of the lifecycle becomes paramount to key management.
IDRBT has published a detailed FAQ document for banks considering cloud adoption, clarifying that encryption keys need to be managed separately.
When it comes to efficient key management of cloud data, Thales Data Threat Report reveals five major pain points organizations face today.
- Encryption Key Visibility
Since CSPs provide limited key visibility and access, organizations’ internal risk management teams do not allow LoBs to store all confidential data in the cloud due to their high costs.
- Data Loss
To ensure encryption keys are not accidentally or intentionally deleted, CSPs provide their users with minimal authorization controls that significantly raises the risk of data loss.
- Vendor Lock
Since organizations do not want to be locked (committed) to a specific CSP, native CSP key management systems become an expensive barrier when moving to another CSP.
- Attaining Compliance
As most internal and regulatory mandates insist on storing the encryption keys away from the cloud, organizations cannot migrate their data to the cloud where data regulations require more control of keys that are locally stored.
- Key Lifecycle Management
Since native CSP key management services offer limited ability to automate the lifecycle of encryption keys, especially across multiple subscriptions, organizations are forced to implement expensive manual key management processes to meet their internal key security requirements.
When it comes to optimal data protection in the cloud, three key encryption technologies stand out – Bring Your Own Key (BYOK), Bring Your Own Encryption (BYOE) and Centralized Key Management.
- Bring Your Own Key (BYOK)
Most CSPs offer data-at-rest encryption and manage the encryption keys on their own. Under the BYOK approach, organizations retain full control of the keys that were used to encrypt their cloud data. This allows them to cohesively create, separate, own & control, and revoke the keys or tenant secrets that were used to create them.
Thales’s BYOK solution, CipherTrust Cloud Key Manager, seamlessly integrates with Microsoft Azure, AWS and Salesforce, and offers full data protection in a complex multi-cloud environment.
- Bring Your Own Encryption (BYOE)
BYOE offers maximum control as it allows organizations to encrypt their cloud data by using their own encryption process instead of the one offered by their CSP. Further, BYOE offers advanced data protection as it allows the cloud data to be encrypted at multiple levels – VM, File-Folder, OS, Application and Database.
Thales’s BYOE solution, Vormetric Data Security Platform, offers Transparent Encryption (TE) with Live Data Transformation (LDT) that delivers zero-downtime encryption while allowing databases from any vendor or file to be encrypted or re-keyed with a new encryption key when the data is still in use by enterprise users. With zero-application-downtime, organizations experience significant yearly ROI at a lower TCO.
- Centralized Key Management
Since encryption keys pass through multiple phases during their lifetime – like generation, distribution, rotation, archival, storage, backup and destruction, efficiently managing these keys at each and every stage of their lifecycle plays a pivotal role in optimal data protection.
Thales’s eSecurity Key Management solutions seamlessly streamline and strengthen the centralized key management process in a complex multi-cloud ecosystem.
Choosing The Right Approach To Cloud Encryption
While all the above three approaches offer robust data protection in the cloud, here is a detailed comparison of each approach:
Features | BYOK | BYOE | Native
Cloud KMS |
Protect |
– Uses CSP’s native encryption technology.
– Low risk of incompatibilities or future restrictions from CSP. – Organizations get complete key ownership and control through a BYOK Key Management Server. – Key revocation and auto-scheduled key rotation increases key ownership. – Complete key ownership prevents vendor lock.
– High throughput as the encryption process is implemented by the CSP. |
– Uses Organizations’ own encryption technology.
– Incompatibilities or dependencies with CSP’s existing systems should be taken into consideration. – Organizations get complete key ownership and control through a BYOK Key Management Appliance.
– Complete key ownership prevents vendor lock.
– Throughput depends on the granularity of the encryption process chosen by organizations. |
– Uses CSP’s native encryption technology. – All keys controlled by the CSP.
– All encryption processes are transparent to the CSP. |
Identify |
Comprehensive Audit / Logging & Monitoring features provided by the BYOK Key Manager. |
Comprehensive Audit / Logging & Monitoring features provided by the BYOK Key Manager. |
Limited Audit / Logging & Monitoring provided. |
Recover |
Secure Key Escrow available to organizations that ensure any accidental key damage / deletion and encrypted data can be recovered from CSP’s native encryption processes. |
Secure Key Escrow available to organizations that ensure any accidental key damage / deletion and encrypted data can be recovered from BYOE vendor’s encryption processes. |
No data recovery possible in case of accidental key damage / deletion. |
Cost |
Low implementation costs and static component costs as they are independent of the number of endpoints using encryption. | High implementation costs and varying component costs as they are dependent on the number of endpoints using encryption. | Varying costs from CSP to CSP. |
Certification |
BYOK Key Managers and Key Sources usually have high security certifications like FIPS 140-2 that provides better assurance. | BYOK Key Managers and Key Sources usually have high security certifications like FIPS 140-2 that provides better protection. | All assurances are from the CSP and depend on their security practices. |
To Sum It Up
With a larger attack surface available in today’s multi-cloud environment, cybercriminals are getting smarter and sophisticated with every passing day.
While CSPs are responsible for the security of their cloud, organizations are responsible for the security of their data in the cloud, and every CISO should ask the below five pertinent questions:
1) How do I maintain security controls of my cloud infra?
2) Post-migration, what controls do I get?
3) How do I manage my PII data risks?
4) How do I manage my audits?
5) How do I meet compliance regulations?
Thales’s BYOK and BYOE solutions offer a cohesive answer to each of these questions. Please visit https://www.thalesesecurity.com/solutions/use-case/cloud-security for more information.