Fortanix expert on how European companies are taking back control of their data in the cloud – Intelligent CIO ME

When running workloads with sensitive and regulated data in the cloud, organisations are seeking greater options to enable them to protect and control that data themselves. Faiyaz Shahpurwala, Chief Product Officer at Fortanix, tells us how, by taking control of their encryption keys, organisations will be able complete their Digital Transformation journeys and start applying the benefits of the cloud for their most sensitive and essential assets.

Cloud technology has redefined the business world in recent years, with IDC finding that 90% of organisations now have at least some of their applications or infrastructure hosted in the cloud and the remainder expected to catch up by 2021.

The increased flexibility, agility and cost-savings offered bymoving to the cloud mean there are few reasons for organisations to hold back.One of the last barriers for public cloud adoption is concern around securityand data protection. While most firms now have at least some of theiroperations based in the cloud, many are still reluctant when it comes to theirmost sensitive data and mission critical assets.

Why are public clouds a security concern?

Working with a third-party cloud provider necessitates a certain loss of control and a large degree of trust. If a cloud host is not properly configured and secured, it will leave the data of its customers vulnerable to being breached by threat actors. Data security regulations such as GPDR also make it clear that an organisation is still responsible for any data breach involving a third party, so firms must ensure they carry out due diligence on their chosen cloud providers.

One of the most important elements of good cloud security is the proper use of encryption. When it comes to data security compliance, GDPR, as well as others such as the upcoming California Consumer Protection Act (CCPA) maintain that firms will not be subject to penalties if they suffer a data breach, but only if the information has been encrypted.

However, encryption is only an effective defence if the cryptographic keys that govern access are well defended. Encryption keys are usually held in the cloud as well and if threat actors are able to get their hands on them, they will have free reign to access all of the information on the cloud server.

From a compliance perspective, PCI DSS, the global creditcard security standard, states that encryption keys cannot be held in the cloud,which means any firm that deals with payment details cannot store this data ona public cloud and remain compliant.

Aside from the threat posed by an external intruder, cryptographickeys held on a cloud server are also potentially vulnerable to maliciousinsiders or other third parties. Because the organisation has no control overthe keys, it will also be unable to prevent the provider from giving them up incircumstances such as legal action.

Taking back control of cloud security

The security, privacy and compliance concerns around storingsensitive data in the cloud can all be overcome by organisations taking controlof their encryption keys and keeping them outside of the cloud. By using abring your own keys (BYOK) approach, organisations will be able to store theirkeys in their own preferred data centre.

Taking this tactic will greatly reduce the risk of encryption keys being accessed by cyberattackers or malicious insiders, as well as restoring control when it comes to access issues from other third parties or legal requests. Even if the cloud provider suffers a catastrophic data breach, the data will remain safely encrypted if the keys are secured in a separate data centre.

The additional security assurance created by taking directownership of their cloud encryption keys means that organisations can gain theconfidence to start using their cloud infrastructure to host sensitive data andmission critical assets. For the first time, firms will also be able to begin storingcredit card data in the cloud without falling foul of the PCI DSS.

Managing encryption keys effectively

Taking control of its cloud encryption keys is only a beneficial strategy if the enterprise itself can secure them properly. Firms should take their time when selecting a colocation data centre to hold their keys and ensure their chosen provider has advance security measures in place.

In addition, organisations need to implement an effective encryption key management system for securely generating, storing and using cryptographic keys and certificates. This is particularly important when it comes to managing multi-cloud environments, which has increasingly become the cloud strategy of choice. Recent research from Gartner found that 81% of public cloud users are working with two or more providers.

Businesses will be dealing with different sites at multiplegeographies, as well as potentially different cryptographic processes includingencryption, tokenisation and shared secrets. Alongside this, many firms rely ona hybrid approach that combines on-premise and cloud-based infrastructure.

An effective management tool will make it easier to cutthrough the complexity created by these environments to establish a consistentapproach that ensures there is no oversight or connectivity issues around theuse of encryption keys.

Ideally, organisations should be seeking a key managementsystem that uses a cloud native approach and is designed to be developerfriendly. In particular, it is important to have an accessible API for cloudand dev-ops teams to work with.

While the cloud has become a ubiquitous part of the business world and particularly Digital Transformation, you could argue that were still very much at the beginning of the journey. Just five years ago, most firms were still only doing minor, low risk testing and development on the public cloud. Only now are we at last getting to the point where more critical assets and infrastructure are being migrated over.

By taking control of their encryption keys into their own hands, organisations will be able complete their Digital Transformation journeys and start applying the benefits of the cloud for their most sensitive and essential assets as well.

Read the original post:
Fortanix expert on how European companies are taking back control of their data in the cloud - Intelligent CIO ME

Related Posts

Comments are closed.