Though the Encryption in the Cloud report is now in its 10th year of production, the findings are perhaps particularly interesting and timely this year with respect to data protection and encryption, located right at the top of the global news agenda. The word “encryption” may make numbers-averse people uncomfortable, but the reality is that for our increasingly digital and connected world, encryption undergirds the notion of trust.
A trend in the last several years has been the significant expansion of the use of encryption. This usage often dovetails with an enterprise-wide, data-centric strategy. Its use spans everything from encrypting data in databases and file systems, in storage networks, on back-up tapes, and while being transferred over a public and internal networks. Although this might seem that organizations are moving in the right direction when it comes to enterprise data protection there’s a real risk that we create fragmentation and inconsistency – encryption sprawl – as different organizations deploy the diverse technologies in different places, to secure different types of data. Now, to make matters worse, the cloud presents its own unique threats and challenges. With an undeniable value proposition, it seems clear that the cloud is inevitable and protecting data within it will be a top priority.
The Encryption in the Cloud report revealed a surprisingly high percentage—over 50 percent—of businesses that admit to sending confidential or sensitive data to the cloud. Only 11 percent of respondents say that their organization has no plans to use the cloud for sensitive operations, down from 19 percent just two years ago. While it was good to see that use of encryption to protect that sensitive data in the cloud is also increasing, concern remains that over half of those respondents that store sensitive data in the cloud report that their data is “cleartext” and therefore readable by anyone who can get access to it.
There are still many and varying opinions regarding how and where to apply encryption in the cloud. The report shows an almost equal split between those that encrypt data before it is sent to the cloud and those that choose to apply encryption directly within the cloud. Regardless of approach, key management remains a pain point as businesses tread the line between trust and control with regard to their own organization and the cloud provider.
In fact, more than just a pain point, key management is the determining factor in an effective encryption strategy. Although many regard encryption itself as being black and white – data is either encrypted or not – the reality is that there is such a thing as good or bad encryption. Much of the variance comes down to implementation and key management – a point that became crystal clear with the recent “Heartbleed” vulnerability in OpenSSL. With this in mind, it is heartening to see that 34 percent of report respondents said that their own organization is in control of encryption keys when data is encrypted in the cloud. Only 18 percent of respondents report that the cloud provider has full control over keys.
If the cloud provider has full controls, how can key safety be guaranteed? This constitutes a risky approach. If someone shows up with a lawsuit or subpoena, will the cloud provider release these keys without your knowledge? From a criminal’s perspective, stealing keys is far more lucrative than stealing data. Stealing data is the modern equivalent of stealing money, yet stealing keys is like stealing the printing press that makes the money– an attack that keeps on giving, or to be more accurate, an attack that keeps on taking!
You must be able to understand your data in order to feel confident about storing it in the cloud. When over half of businesses surveyed still send sensitive data to the cloud, it’s clear that more thought must be given to ensuring its safety. Sixty-six percent of respondents still do not manage their encryption keys, which means that they are not truly in control of their data’s safety. If you care about your data, you will encrypt it and maintain control of it.
About the Author
As Vice President of Product Management and Strategy, Richard contributes his well-respected data protection expertise and thought leadership to the information technology security activities of Thales (News - Alert). Richard has helped Thales take the lead in redefining the boundaries of encryption management for global enterprises. Richard holds a bachelor’s degree in electrical engineering from Birmingham University and an MBA from Warwick University, U.K.