Why you need to know who owns your encryption keys [Q&A]
As companies move more of their data to the cloud it's not surprising that they’re turning to encryption in order to keep their data safe.
But if you're using a third-party cloud provider, who owns and controls the keys to your encrypted data? Rui Biscaia, director of product management at data classification specialist Watchful Software believes it's vital for companies to know.
BN: Why has encryption become such an important tool?
RB: Encryption technology is a fundamental, underlying part of protecting sensitive data. It ensures that the wrong people don't have access to your information and can't leverage it for their own purposes.
In the past you've been able to control the environment where your data was residing. You can take steps to prevent people from hacking into your repository of information. However, if someone is able to break in there's nothing to stop them from stealing the data. Or if an internal user leaks the data it's also compromised. So while protecting your system perimeter is good, in practice it's not enough -- you need to protect the data as well.
Organizations therefore turn to a second level of security which is file-centric security. This encrypts and protects files within the repository even if they’re moved around or shared with other users.
BN: Why does moving to the cloud change things?
RB: To ensure the protection and portability of files, companies are moving to third-party cloud providers. This makes for easier collaboration between users, but one of the fundamental aspects of keeping this secure is encryption.
However, for file level encryption to work you need to have a common denominator encryption key. This is a 'master key' or 'tenant key' that is able to decrypt everything. Cloud providers will say they can hold the master keys for you to allow the collaboration to happen. That means though that if they want to, or if they're asked to do it by federal agencies or whoever, they can access the keys they need to decrypt your data and access it.
Companies want to trust their cloud suppliers to have security mechanisms in place, this includes encryption to ensure that whenever a file moves it's always protected. In order for this to work smoothly the cloud provider needs access to the tenant key.
BN: How does this impact on day-to-day operation?
RB: There's always a balance between encryption and usability. There are ways to encrypt with minimal impact on performance in terms of the time it takes for files to open. The problem is, once you click to open a file, what happens is that the software will reach out to a server somewhere that will tell it the user is allowed access. If the server is hosted in an outsourced cloud it has the keys in order to grant access to the file.
BN: How do companies keep their keys safe?
RB: To allow collaboration to happen in future, businesses will turn more and more to the cloud. If they’re to do so securely they need to control their encryption keys. Some companies have done this by storing them in a private rather than public cloud, or on an in-house server that’s under their control. By all means make use of the storage and collaboration advantages of the cloud, but make sure that third-party service providers aren’t controlling your master keys.
It's also important to have data classification. It makes no sense to encrypt every file and email in the organization. Classification can sort out data which is sensitive and needs encryption, from data that isn't and doesn't. This can be done in an automated way by, for example, content, contextual and behavioral analysis.
Under GDPR companies will become legally liable if their third-party providers don't have a good enough security approach, so they have to take responsibility for themselves. When you sign up with a cloud provider they should be asking you where you want your encryption keys to be stored.