Realities of cloud-based encryption and key management show lack of control

News by Dan Raywood

The challenge of cloud-based encryption is about where the data is encrypted and who holds the keys.

The challenge of cloud-based encryption is about where the data is encrypted and who holds the keys.

Speaking to SC Magazine, Richard Moulds, vice president strategy at Thales e-Security, said that this is the challenge with cloud when it comes to encryption as you have to ask what sort of cloud is being used and where is the encryption done?

“There is a huge difference here, some solutions only offer encryption to certain applications,” he said.

“The PCI data security standard has been saying for five years to do encryption, and that is great, but now you need to know who controls the key, where has it been and who has access, and the level of sophistication is growing. As other solutions offer cloud-based encryption, people will ask more questions.”

Releasing a report with the Ponemon Institute that surveyed more than 4,000 organisations globally, Thales found that more than half of all respondents say their organisation currently transfers sensitive or confidential data to the cloud, while more than 60 per cent of respondents whose organisations currently transfer sensitive or confidential data to the cloud, believe the cloud provider has primary responsibility for protecting that data.

The survey found that there was a marked increase in confidence among respondents in the ability of cloud providers to protect the sensitive and confidential data entrusted to them – up from 41 per cent (2011) to 56 per cent (2012).

Moulds said that now, attackers are not trying to break encryption, but are trying to steal keys. He said that often it is about how often you change the key and where you store it.

“You can buy a database or software that does encryption, but businesses are now waking up to the notion of key management as this is the hard bit. If you do it in the cloud and lose the key, you cannot unencrypt the data. We will end up with encryption in the cloud, but the last thing you want is an employee with access.”

According to the survey, 35 per cent of respondents said that use of the cloud has decreased their security posture. Moulds speculated that the next stage will be where data is hosted, particularly with overseas hosting concerns. “You may encrypt data to get round the residency problem, as PCI-DSS says that if you touch credit card or cardholder data then you are subject to an audit,” he said.

He said that the correct way is to put data in the cloud and keep the keys in the enterprise, as otherwise if the cloud provider is both ‘the gamekeeper and the poacher', while putting encrypted data in the cloud prevents filtering and access to data.

Just over half of respondents say they don't know what their cloud provider actually does to protect their data – and only 30 per cent say they do know.

Larry Ponemon, chairman and founder of the Ponemon Institute, said: “Staying in control of sensitive or confidential data is paramount for most organisations today and yet our survey shows they are transferring ever more of their most valuable data assets to the cloud.

“In this, our second year of conducting this survey, we wanted to dig a little deeper and explore the difference in attitudes about the most common types of cloud services – IaaS, PaaS and SaaS. Perceived responsibility for data protection, awareness of security measures, confidence and impact on overall security posture illustrate important regional and service type differences but overall the trend is positive.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews