INFOTECH: Bring Your Own Encryption Delivers Complete Control Over Data Access
Recent Gauteng Business News
Whether to protect internal protocols and the integrity of data access hierarchies or to prevent attacks in the face of growing cyber-threats, implementing controls over the way information is sent and shared is more important than ever for businesses. Encryption is a fundamental aspect of this process and is essential to assuring data integrity and security. The challenge now faced by security decision-makers is how best to utilise encryption as their businesses make their move to the cloud. With increasing concern around security and privacy in the cloud, providers and Software-as-a-Service (SaaS) vendors responded with a security model that has become known as Bring Your Own Encryption (BYOE). Intended to overcome the worry that the encryption of data at rest provided by the cloud or SaaS vendors is insufficient protection for customer data as the cloud or SaaS vendor can decrypt data and gain access to it any time. Bring Your Own Key (BYOK) serves to reassure clients that they have complete control over the keys used for encrypting their own data in the cloud writes Simeon Tassev.
Benefits of BYOE
A security model that gives complete control over data encryption and decryption, BYOE allows clients making use of cloud-hosted environments to implement a virtualised instance of their own encryption concurrent with the application they are hosting in the cloud. The BYOK element comes in where encryption keys are stored separately from the cloud and controlled by the business, in which case total ownership of data is enabled. Without access to the master key, even if the cloud service provider were to be legally obliged to access the data, it would not be possible. This makes it clear that the biggest benefit to the client is that they are in complete control over their data, even if it is stored in a public cloud. When considered as part of a cloud cyber security strategy, the client has free rein in terms of implementing it in whichever way meets their needs of cost-effectiveness, complexity and efficiency. This could either be making use of cloud key management solutions, or an internal hardware modules designed to manage encryption transactions, certificates and keys. This fits into an organisation’s data loss prevention strategy given that the concept of data protection is linked to encryption. By bringing your own keys, you are not only encrypting your data and limiting access to that data, but you are also limiting access to raw data. While someone might be able to access encrypted data, they cannot do anything without the key – which has the effect of improving data security, preventing data loss by minimising any possible unauthorised access.
Considerations to bear in mind
Businesses that are data-sensitive (and thus subject to data protection legislation) require BYOK technology to help meet their security and compliance requirements and can run their most sensitive workloads in the cloud. However, it is important to bear in mind that best practices for encryption requires a separation of duties between the data owner and the cloud or SaaS vendor. This means that businesses should only be concerned with controlling their encryption and keys, and should let their cloud or SaaS vendor manage the data.
Given the rising popularity of the idea of outsourcing the task of key management, before deciding to go this route the business needs to consider the following and ask these questions of their prospective service provider:
What tools and solutions are used to store keys? The most meaningful key management setup includes a hardware security module, which enables dedicated storage with high-performance and high-availability key access for both encryption and decryption operations.
How are keys accessed? Keys should never be under the custody of a single person; it should be jointly managed by two or more trusted internal team members and there should be in-depth audit trail.
How are keys recovered? Certain providers will not allow for recovery of keys under client control, but if they do, they need to ensure that the client is involved throughout the process and that the person requesting the recovery is properly vetted.
How does the provider deal with multiple key access where a database or application requires it? This is important especially when it comes to the control and distribution of each key as well as the creation, management and destroying of such keys.
Even though BYOE and BYOK technology is still in the early days of adoption, and needs a significant amount of thought before it is applied, it offers the client a significant amount of assurance in terms of data protection. It must be remembered, however, that choosing to outsource the BYOK component comes with a risk. While it’s great for security that your service provider can’t give the key to anyone else, usually this means that they can’t give it to you either and losing your keys means that you’ll be locked out and unable to access your own data as well. With great power comes great responsibility, and businesses need to be aware of that before taking control of (and potentially losing) their own keys.
Business News Sector Tags: Infotech|