In a world where perimeter security measures have proven ineffective in stopping data breaches, encryption is the only way to truly make data useless to those who are not supposed to have access to it. As a result, the importance of who owns the keys to encrypt and decrypt the data has become even more important. Put plain and simple, whoever owns the keys (or has access to them), also owns the data.
As more companies move their data to the cloud using encryption to protect it, key ownership is increasingly important in order to maintain total control of encrypted data in the cloud, for security and for compliance.
Some major cloud providers have taken notice of this. One example happened recently when Box launched its new enterprise cloud storage service, building it around a significant feature known as the customer-managed key. This gives customers full control over the keys that play a crucial role in the encryption of their data, representing a critical divergence from other popular services, such as Salesforce.com and AWS, which manage the keys for the customer.
What are the different approaches to key management?
Key management is the processing and storage of keys that control who can decrypt and access protected information. This is a critical and yet often overlooked element of encryption. Too many organisations leave key management up to their vendors or store the keys inconsistently across their IT infrastructure in both hardware and software. That lack of centralised control can jeopardise the integrity of encryption. Often management of the keys is more important than the encryption itself, because if something happens to the keys, entire sets of data can be stolen or permanently lost.
Demonstrating control of data is a critical element of compliance. But it’s not full ownership without total control and ownership of the encryption keys. Salesforce has included important safeguards to its Platform Encryption in order to prevent any mishandling of the customers’ keys on their end. Still, at the end of the day, the keys cannot leave Salesforce, meaning their customers don’t necessarily have full control.
The other approach is to take the third party provider out of the equation and put the keys in the hands of the customer. This is the approach Box is taking. From a customer’s perspective, managing your own encryption keys may seem like a tall order, but it actually makes sense if you need to eliminate any chance of a vendor exposing your keys. Imagine if someone else was in charge of your house and car keys. Every time you have to get into either one, you need to go through that second party, and you live with the constant risk that the keys could be lost, leaving you with no recourse.
For those who are up to the challenge, customer-managed keys are a way around this problem. This approach gives control goes back to the data’s owner, and an external vulnerability is removed from the equation. This is the reason why organisations like Box are taking this approach.
While there are some drawbacks involved with key administration, more and more high-profile services and organisations seem to be giving their customers the opportunity to manage their own keys. This is another indication of just how seriously encryption is being taken by the tech industry in response to an increasingly security-fluent public.
If you would like to know more about innovative solutions from Gemalto, click here.
Gemalto offers one of the most complete portfolios of enterprise security solutions in the world, enabling customers to enjoy industry-leading protection of digital identities, transactions, payments and data. Through Gemalto’s portfolio of SafeNet Identity and Data Protection solutions, enterprises across many verticals take a data-centric approach to security by utilising innovative encryption methods, best-in-class crypto management techniques, strong authentication and identity management solutions to protect what matters and where it matters in an increasingly digital world.