Have you moved to the cloud and think your data is secure because the cloud service uses encryption? This may be a false sense of security depending on the sensitivity of your data. There is much more to having secure storage of data than just the encryption algorithm that is used. Many companies have moved or are in the process of moving to the cloud for computing and data storage purposes. Overall, the cloud services are a less expensive environment for computing and data storage with the convenience of worldwide access from any number of devices.
Cloud services are inherently secure using encryption for data in flight to and from the cloud, and data at rest. This encryption is typically included in the base cost of the service, but is it as secure as the in-house datacenters that these companies once used? Even if the company did not employ encryption to protect the data there was a level of security in that the network was private that protected access from external advisories. When using a cloud service, companies loss control their data relying on the security of the cloud service and its personnel. The encryption employed by cloud services is used to protect the data in the event of a data breach which protects the service from undue financial loss. The encryption keys used are shared among the customer base and managed internally. How well these keys are actually protected is not easily assessed. Poor key management could allow internal access to their customers’ data.
When it comes to encryption It is not the algorithm that protects the secrecy of data, these are publicly known and widely distributed. The choice of an encryption algorithm is important in that some are stronger than others, however the security of encrypted data relies on the security and secrecy of the cryptographic key. Any entity that has access to cryptographic keys can decrypt the data.
For companies that have sensitive data that must be protected for business purposes may choose to use encryption where the cryptographic keys are unique to them. This is implemented as a second level encryption and most cloud services offer this. These companies must implement strong key management where split knowledge and dual control is enforced such that no one single individual has access to the encryption key. Split knowledge is where the key is broken up and distributed to separate individuals for safe keeping. Individual knowledge of these key parts does not reveal anything about the key itself. Dual control is a process where two or more individuals are required to perform key management functions which may include key recovery, distribution to other platforms or systems, internal use. Improper key management may result in the loss of keys or compromise of the key which exposes the data that was meant to remain secret.
Encryption key management is a critical part of using encryption to keep data secure and secret. Poor key management is like hiding the spare house key under the welcome mat of your house. If you don’t understand how encryption keys are managed, and more importantly know the people and systems that have access to the keys, your data may not be as secure as you think. There are several ISO and ASC X9 standards that can help review key management processes as well as consulting firms that are willing to help.