#Privacy: Keeping sensitive data safe when migrating to the cloud 

In just a handful of years, the use of cloud computing has transitioned from being a leading-edge strategy to a standard business practice. The efficiency, agility and reduced overheads created by cloud-based services are swiftly becoming essential if an organisation is to remain profitable and competitive.

While most businesses are now using some form of cloud-based services, a growing number are migrating core IT infrastructure into the cloud. Analyst group Gartner recently estimated that 60 percent of all organisations will be using managed cloud service offerings by 2022, with research vice president Sig Nag stating that cloud adoption is now a mainstream practice.

Most businesses using cloud services are also leaning towards more expansive strategies that use two or more providers, with further research from Gartner revealing that 81 percent of public cloud using companies have at least two different services.

While there is no doubt that the powerful advantages delivered by the cloud will continue to see adoption rates grow, the move to the cloud is not without risks. Each new cloud service taken on by business will both increase the scope and complexity of their digital footprint and make it more difficult to control and combat potential threats to data.

This lack of control means that, while cloud adoption rates are accelerating, many organisations are holding back from putting their most sensitive and mission critical data in the cloud.

Losing control, retaining responsibility

While a thorough vetting process will help to ensure that cloud providers are following best security practices when they are chosen, the organisation will still have far less oversight of their data’s security than it would if the information was stored within its own network or a private cloud. This issue is even more pronounced in a multi-cloud strategy, and the business will need to deal with its data being scattered across multiple different providers, each of them coming with their own set of risks.

If sensitive or mission critical data is stolen by cyber criminals, it makes little difference whether the breach originated with the business itself or a third-party service provider. The company will still have to contend with the financial, legal and reputational damage of the breach. On the regulatory side, the EU GDPR and the recently enacted CCPA can fully penalise an organisation if private information is breached through a third party and essential processes such as encryption were not in place.

These risks mean that relying on a third-party to protect important data is still an act of faith. While a cloud provider may assert that data is protected with encryption for example, their actual strategy may be poorly implemented. One of the most common issues is to find that a service provider has encrypted the data, but that the cryptographic keys are kept within the same infrastructure. This means that if the cloud provider is breached, the criminals will likely be able to obtain the keys along with the data and render the encryption useless.

The PCI DSS takes a strong stance on this issue, mandating that card payment information cannot be stored in a public cloud if the cryptographic keys are kept on the same system. This is one of several factors holding back organisations from completing their transition to the cloud. For instance, retailers would be unable to use a public cloud to store or process essential customer and sales data.

Does BYOK have the answer?

The cloud industry has explored several different options to try to address these challenges and restore a sense of control to the public cloud. One of the most popular potential solutions is the use of a Bring Your Own Keys (BYOK) approach, where organisations are able to generate and manage their own encryption keys.

However, most BYOK strategies will still see the encryption keys being stored in the cloud provider’s key management system (KMS), which means they may still be retrieved by threat actors if the provider’s infrastructure is breached. This also tends to be a poor fit with the increasingly multi-cloud approach, as each cloud vendor will need to provide its own KMS. As an organisation’s infrastructure continues to grow and add more third parties, it will become more complex and costly to manage multiple KMS.

Taking full control of cloud security

One option for benefitting from the BYOK approach while compensating its shortcomings is to implement Bring Your Own Keys Management System (BYOKMS). Organisations can generate their own keys and be in full control of managing and storing them centrally, helping to address the complexity of a multi-cloud environment.

As businesses will be able to store the keys in their chosen data centre, protected by their preferred security strategies, this addresses the major failing of standard BYOK as the encryption keys are far removed from the data itself. Even if a third-party provider suffers a breach and critical data is exposed, without the keys the attackers will be unable to do anything with the stolen assets.

This is a major boon for regulatory compliance. Being able to prove that sound encryption is in place will free the organisation from the obligation to alert individuals whose data was involved in the breach, as well as escaping the threat of punitive regulatory fines. In addition, ensuring that the keys are kept entirely separate to the data will also enable a firm to store encrypted payment card details in the cloud while remaining compliant with the PCI DSS.

Businesses looking to successfully transition to the cloud must be able to ensure their most sensitive and mission critical data is well-secured. By taking full control of their own encryption keys, businesses can enjoy the increased efficiency and reduced costs of a cloud-led strategy without taking a leap of faith on their security.

By Dr Richard Searle, senior security architect at Fortanix 


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.