Cloud Hosting

Organizations are adopting encryption at a rapid and increasingly urgent pace. Why? Because encryption helps organizations support dynamic industry regulations while also protecting sensitive data thats placed in the cloud.

The trend of adopting public cloud solutions continues to grow, but protecting critical data in the cloud is still a major concern. Its critical to protect data against external breaches and unauthorized access by cloud service providers. Collectively, organizations are diligently working with consultants and suppliers to implement solutions to keep their data safe.

In many specific instances, companies want to prevent their data from being accessible to cloud service providers (CSPs). However, organizations are now facing a new dilemma: What are they supposed to do when they want to permanently delete their data in the cloud?

Regulatory compliance and cloud data protection are two driving reasons for establishing encryption and encryption key management strategies. Furthermore, in the new world of cloud data security, the old concept of a castle has become ineffective; the concept of a curated museum is much more applicable to cloud data security. In this new world, organizations want to share data appropriately with many users and platforms without running the risk that it will be taken, changed, hijacked, destroyed or accessed by unauthorized users.

Learn more about Multi-Cloud Data Encryption

To complicate matters, the value of data can change quickly. As we know, information such as quarterly financial data has high value prior to its disclosure, but the necessity to keep it private significantly declines once the announcement of financial performance is released to the market. However, other data, such as pharmaceutical trial data, HR information from divested organizations and historical notes on litigation proceedings, can quickly become a liability if it is unintentionally disclosed to the wrong party after the collective work on these efforts has been completed.

When you combine the need for privacy, the desire to collaborate using shared data and the trend of leveraging cloud applications and storage, you can see the need to not only protect cloud-based data, but also to manage it throughout its entire life cycle, from creation to destruction. Furthermore, in the case of cloud deployments, this process needs to be managed and controlled in an environment that is not physically under your control. This last requirement raises the following questions:

Encryption has historically been used to protect data against unauthorized use. However, encryption can effectively erase data as well. This is called cryptographic erasure.

The National Institute of Science and Technology (NIST) released Special Publication 800-88, Revision 1: Guidelines for Media Sanitization, which detailed how encryption is part of media and data sanitation.

If strong cryptography is used, the publication stated, sanitization of the target data is reduced to sanitization of the encryption key(s) used to encrypt the target data. In laymens terms, this means that if the data is encrypted and you destroy the keys, the data is erased.

Of course, there are some qualifiers to claiming sanitization by cryptographic erasure. First, you must ensure that you have encrypted the data from the moment it was originally stored. Next, verify that you have exclusive access to all data encryption keys and ensure that all keys are wrapped under one or more wrapping keys. Finally, delete the wrapping keys to render the data encryption keys and data itself unrecoverable. Fortunately, these steps are not difficult to follow if you have the right tools.

For example, if you have a petabyte of data that has been encrypted from the moment it was placed in the cloud and control over the wrapping keys that protect the data encryption keys, then when you delete the wrapping keys, you render data encryption keys and the petabyte of data useless. This happens regardless of where the data is stored or whether you can even access the storage environment. In other words, you can effectively erase a petabyte of data by deleting just a few kilobytes of keys. Thats cryptographic erasure, and its powerful.

Naturally, you may want to recover the petabytes of bits associated with your now-useless data. Why pay to store petabytes of random bits? However, that is secondary to the erasure of the data itself.

The logistics of implementing cryptographic erasure fundamentally requires the system that stores and encrypts the data to be separate from that of encryption key management. Leveraging key life cycle management software packages helps maintain separation of these duties and functions.

Keeping your encryption engine separate from the encryption keys, as well as keeping the keys well-managed, is not just a best practice, but also keeps you on the right side of regulations and helps protect your most precious assets your encryption keys and encrypted data from threat actors. Remember that storage is inexpensive, but data is becoming infinitely more valuable, both as an asset and a liability. Control your data, protect it and ensure that it has a clear life cycle that you control.

The future architecture of data protection is clearly modular. We need to:

Following these practices ensures that your data, protected through encryption, will provide value through its lifetime and can be securely deleted when no longer valuable.

To protect data in a multicloud environment, organizations should still focus on implementing centralized policy management as well as centralized key management.

Guardium for Multi-Cloud Data Encryption offers the ability to encrypt cloud data across multiple clouds. It also integrates with IBM Security Key Lifecycle Manager. This combination of local but highly redundant key management, and the ability to concurrently manage tens of thousands of encrypted file systems or volumes in multiple clouds, gives organization the tools they need to protect and manage the entire life cycle of data regardless of where it resides.

Learn more about Multi-Cloud Data Encryption

Read this article:

How Encryption Makes Your Sensitive Cloud-Based Data an Asset, Not a Liability - Security Intelligence (blog)

I wrote yesterday about reports thatpeople in the White House are using encrypted communication apps more often, and why that might be. Today I want to follow up by talking about how the politics of encryption might affect government agencies choices about how to secure their information. Ill do this by telling the stories of the CIOs of three hypothetical Federal agencies.

Alice is CIO of Agency A. Her agencys leader has said in speechesthat encryption is a tool of criminals andterrorists, andthat encryption is used mostly to hide bad or embarrassing acts. Alice knows that if she adopts encryption for the agency, her boss could face criticism for hypocrisy, for using the very technology that he criticizes. Even if there is evidence thatencryption will make Agency Amore secure, there is a natural tendency for Alice tolook for other places to try to improve security instead.

Bob is CIO of Agency B. His agencysleader has taken a more balanced view, painting encryption as a tool with broad value forhonest people, and which happens to be used by bad people as well. Bob willbe in a better position than Alice to adopt encryption if hethinks it will improve his agencys security. But he might hesitate a bit to do so if Agencies A and B need to work together on other issues, or if the two agency heads are friendsespecially if encryption seems more important to the head of Agency A than it does to the head of Bobs own agency.

Charlie is CIO of Agency C. His agencys leader hasnt taken a public position on encryption, but the leader is known to be impulsive, thin-skinned, and resistant to advice from domain experts. Charlie worries that if he starts deploying encryption in his agency, and then the leader impulsivelytakes a strong position against encryption without consulting his team, the resulting accusationsof hypocrisy could anger the leader. That might cost Charlie his job, or seriously undermine the authority he needsto properly manageagency IT. The safe thing for Charlie to do is to avoid deploying encryptionnot only to preserve his job but also to protect the rest of the agencys IT agenda. If Charlie doesnt change the agencys practice, then criticism of the practice can be deflected onto the previous leaderand of course well be upgradingto the better practicesoon. Here the uncertainty created by the leaders management style deters Charlie from changing encryption practice.

Lets recap. Alice, Bob, and Charlie are operating in different environments, but in all three cases, the politics of encryption are deterring them, at least a little, from deploying encryption. Their decision to deploy it or not will depend not only on their best judgment as to whether it will improve the agencys security, but also on political factors that raise the cost of adopting encryption. And so their agencies may not make enough use of encryption.

This is yet another reason we need a serious and specific discussion about encryption policy.

Follow this link:

How the Politics of Encryption Affects Government Adoption - Freedom to Tinker