This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Realities of cloud-based encryption and key management show lack of control

Share this article:
Realities of cloud-based encryption and key management show lack of control
Realities of cloud-based encryption and key management show lack of control

The challenge of cloud-based encryption is about where the data is encrypted and who holds the keys.

Speaking to SC Magazine, Richard Moulds, vice president strategy at Thales e-Security, said that this is the challenge with cloud when it comes to encryption as you have to ask what sort of cloud is being used and where is the encryption done?

“There is a huge difference here, some solutions only offer encryption to certain applications,” he said.

“The PCI data security standard has been saying for five years to do encryption, and that is great, but now you need to know who controls the key, where has it been and who has access, and the level of sophistication is growing. As other solutions offer cloud-based encryption, people will ask more questions.”

Releasing a report with the Ponemon Institute that surveyed more than 4,000 organisations globally, Thales found that more than half of all respondents say their organisation currently transfers sensitive or confidential data to the cloud, while more than 60 per cent of respondents whose organisations currently transfer sensitive or confidential data to the cloud, believe the cloud provider has primary responsibility for protecting that data.

The survey found that there was a marked increase in confidence among respondents in the ability of cloud providers to protect the sensitive and confidential data entrusted to them – up from 41 per cent (2011) to 56 per cent (2012).

Moulds said that now, attackers are not trying to break encryption, but are trying to steal keys. He said that often it is about how often you change the key and where you store it.

“You can buy a database or software that does encryption, but businesses are now waking up to the notion of key management as this is the hard bit. If you do it in the cloud and lose the key, you cannot unencrypt the data. We will end up with encryption in the cloud, but the last thing you want is an employee with access.”

According to the survey, 35 per cent of respondents said that use of the cloud has decreased their security posture. Moulds speculated that the next stage will be where data is hosted, particularly with overseas hosting concerns. “You may encrypt data to get round the residency problem, as PCI-DSS says that if you touch credit card or cardholder data then you are subject to an audit,” he said.

He said that the correct way is to put data in the cloud and keep the keys in the enterprise, as otherwise if the cloud provider is both ‘the gamekeeper and the poacher', while putting encrypted data in the cloud prevents filtering and access to data.

Just over half of respondents say they don't know what their cloud provider actually does to protect their data – and only 30 per cent say they do know.

Larry Ponemon, chairman and founder of the Ponemon Institute, said: “Staying in control of sensitive or confidential data is paramount for most organisations today and yet our survey shows they are transferring ever more of their most valuable data assets to the cloud.

“In this, our second year of conducting this survey, we wanted to dig a little deeper and explore the difference in attitudes about the most common types of cloud services – IaaS, PaaS and SaaS. Perceived responsibility for data protection, awareness of security measures, confidence and impact on overall security posture illustrate important regional and service type differences but overall the trend is positive.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

GCHQ 'spied on Germany's Deutsche Telekom'; Germans sell spyware

GCHQ 'spied on Germany's Deutsche Telekom'; Germans sell ...

UK and US spies reported to spy on Deutsche Telekom in Snowden documents, while Germany's FinFisher accused of supplying surveillance software to repressive regimes.

Amazon's £600m Twitch gaming site hit by malware

Amazon's £600m Twitch gaming site hit by malware

The Twitch.tv online gaming platform, which is now owned by Amazon and has more than 55 million monthly viewers, has been infected with malware that spends users' money without their ...

China's cyber spying 'production line' approach no game for amateurs

China's cyber spying 'production line' approach no game ...

Chinese cyber-spying production line shares tools and tactics between different groups suggesting cooperation or at least similar training.