Story image

Encryption in 2016: Are you the key master?

19 Apr 2016

In a world where perimeter security measures have proven ineffective in stopping data breaches, encryption is the only way to truly make data useless to those who are not supposed to have access to it. As a result, the importance of who owns the keys to encrypt and decrypt the data has become even more important. Put plain and simple, whoever owns the keys (or has access to them), also owns the data.

As more companies move their data to the cloud using encryption to protect it, key ownership is increasingly important in order to maintain total control of encrypted data in the cloud, for security and for compliance.

Some major cloud providers have taken notice of this. One example happened recently when Box launched its new enterprise cloud storage service, building it around a significant feature known as the customer-managed key. This gives customers full control over the keys that play a crucial role in the encryption of their data, representing a critical divergence from other popular services, such as and AWS, which manage the keys for the customer.

What are the different approaches to key management?

Key management is the processing and storage of keys that control who can decrypt and access protected information. This is a critical and yet often overlooked element of encryption. Too many organisations leave key management up to their vendors or store the keys inconsistently across their IT infrastructure in both hardware and software. That lack of centralised control can jeopardise the integrity of encryption. Often management of the keys is more important than the encryption itself, because if something happens to the keys, entire sets of data can be stolen or permanently lost.

Demonstrating control of data is a critical element of compliance. But it’s not full ownership without total control and ownership of the encryption keys. Salesforce has included important safeguards to its Platform Encryption in order to prevent any mishandling of the customers’ keys on their end. Still, at the end of the day, the keys cannot leave Salesforce, meaning their customers don’t necessarily have full control.

The other approach is to take the third party provider out of the equation and put the keys in the hands of the customer. This is the approach Box is taking. From a customer’s perspective, managing your own encryption keys may seem like a tall order, but it actually makes sense if you need to eliminate any chance of a vendor exposing your keys. Imagine if someone else was in charge of your house and car keys. Every time you have to get into either one, you need to go through that second party, and you live with the constant risk that the keys could be lost, leaving you with no recourse.

For those who are up to the challenge, customer-managed keys are a way around this problem. This approach gives control goes back to the data’s owner, and an external vulnerability is removed from the equation. This is the reason why organisations like Box are taking this approach.

While there are some drawbacks involved with key administration, more and more high-profile services and organisations seem to be giving their customers the opportunity to manage their own keys. This is another indication of just how seriously encryption is being taken by the tech industry in response to an increasingly security-fluent public.

If you would like to know more about innovative solutions from Gemalto, click here.

Gemalto offers one of the most complete portfolios of enterprise security solutions in the world, enabling customers to enjoy industry-leading protection of digital identities, transactions, payments and data. Through Gemalto’s portfolio of SafeNet Identity and Data Protection solutions, enterprises across many verticals take a data-centric approach to security by utilising innovative encryption methods, best-in-class crypto management techniques, strong authentication and identity management solutions to protect what matters and where it matters in an increasingly digital world.

Platform9 and Intersect partner to bring unified cloud to A/NZ
“For Intersect, Platform9 represents the single most strategic solution to a set of challenges we see expanding across the board."
Gartner: AI to reduce project management workload
80% of the work performed project management teams will be taken over by AI by 2030, starting this year.
How Virtustream enabled FMC to modernise its global IT operations
As a result of transforming its IT operations, migrating mission-critical applications to the cloud and implementing a new SAP S/4HANA environment, FMC expects to realise significant cost and time savings. 
Microsoft Teams’ eight new and upcoming features
After taking Best in Show at Enterprise Connect, Microsoft Teams will be seeing eight new capabilities over 2019.
Brennan IT namedrops new clients for its MSP services
CEO Stephen Sims says enterprises have been underserviced by Tier-1 service providers for too long.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Digital spending to hit US$1.2 trillion by 2022
A recent study by Zinnov shows that IoT spend reached US$201 billion in 2018 while outsourcing service providers generated $40 billion in revenue.
How the right ECM system empowers key business areas
"The right enterprise content management system supports collaboration and co-authoring aspects of content management, including visibility for all parties associated with key assets.”