Safekeeping Encryption Keys in the Cloud-A Critical Reality for Many Companies

There’s no doubt that there has been a significant rise in cyber attacks and data infiltrations both on cloud-based Web applications and those within the enterprise. An attacker looks for application logic flaws, poses as a privileged user, and then steals sensitive data. A recent report confirms this trend: One out of three executives consider themselves well protected; however, half indicate a yearly increase in security levels as well as attacks. While there is executive awareness of attacks related to cloud, social media, and mobile devices, cyber-criminals have found more surface vectors and increased opportunities for attacks.

When it comes to the cloud, encryption is a key defense. In a virtual cloud environment, an enterprise’s data is no longer within their four walls and that’s why encryption is such a critical element, but who can a cloud customer trust with the encryption keys? For companies accessing IaaS and PaaS cloud services, they can implement encryption in their cloud account. But the bigger problem becomes managing your encryption keys in the cloud. One solution is to store the keys on the same cloud infrastructure you use for your data, or with a dedicated key management vendor even though these same security providers are themselves exposed to attacks.

Today, there’s a level of unrestricted access that introduces new opportunities for cyber-criminals—for example, smart device application downloading, anytime/anywhere data access and social media collaboration—each of these present new and significant security challenges. An alternative to trusting a provider with your encryption keys is to store the keys at the enterprise. However, a physical server deployment will be required back in the data center, resulting in an expensive solution both in terms of software licenses and operational overhead, some of the very things a company was looking to reduce. Today, the cloud’s shared computing process presents another major change because it eliminates the perimeter, which has always protected enterprises.

On the encryption level there is a long and complex deployment process which in many cases does not provide a complete solution to deferent operating systems and databases. Creating a secure encryption workflow in the cloud is a challenging process and in many ways is not yet a simple reality. Security needs to move from a defensive/reactive position to a proactive, risk-management approach. Ways to get more proactive about this include identifying critical IT services that support sensitive data and understanding vulnerabilities of those systems especially as they relate to encryption processes.