Forget about ‘set and forget’

Using cloud computing effectively and safely, however, requires care. One of the big draws of cloud services, is the ability to scale resources up and down as needed. Maybe there’s a project starting for a few months that will require some data processing and analysis, or there are seasonal demands for services which need additional resource. The cloud allows businesses to meet these needs without having to pay to keep that spare capacity around. But the benefits of only paying for what’s needed are only possible if the business keeps on top of where their data is stored, and in what tier – rather than falling into the trap of setting and forgetting.

The same applies for securing this data. Under most public cloud provider contracts there is a joint responsibility between the cloud provider and the customer for the security and availability of the stored data. This can vary widely depending on the type of service that has been procured, so it is important for all organisations to think carefully about which data is best stored where, and at what security level.

In practice this is easier said than done. Not every organisation has the technical knowledge in place to keep on top of configuring and managing their cloud services – no matter how critical they might be to keeping the organisation running. Other may think they have security through obscurity being just one of many millions of public cloud customers – or because they’ve not experienced an attack yet, as naïve as that may be.

Organisations may also be unclear on the details of the contracts they’ve signed – they are still legally responsible for the security of their own data, wherever it’s stored. Public cloud providers may act to quarantine affected encryption keys if a breach is discovered, but if public cloud credentials are compromised and data is held for ransom, there’s little providers are legally responsible for.

The risks of poorly managed encryption keys

Recent attacks on cloud storage instances underscore the importance of getting this right. One cyber crime group dubbed ‘Codefinger’, for example, have attacked at least two victims by stealing AWS customer account credentials and using the built-in encryption to lockdown their data. This is made possible by the fact that many companies aren’t regularly monitoring and auditing the encryption keys they have in place, revoking permissions for those that are no longer required.

There are also duplication and visibility challenges, with over half (53%) of organisations still having five or more key management systems in place, according to the 2024 Thales Data Threat Report. Encryption key management needs to be taken as seriously as all the other cybersecurity measures an organisation has in place.

Separation of duties

Luckily, effective practices around the generation, storage and use of encryption keys have been clearly defined for some time. The strength of the keys chosen, for example, needs to align with the sensitivity of the data. Some applications may benefit from the use of RSA key pairs, so that third parties can authenticate with a public key, while the data remains encrypted with a private key.

Maintaining a separation of duties is also advisable, so that those creating and managing the keys do not also have access to the protected data. Dividing responsibilities in this way reduces the risk of a successful attack via social engineering or credential compromise, which could then give threat actors full administrative access.  

Tracking and coordinating the use of encryption keys is also easier if they are stored in a secure vault with specific permissions, or if a Hardware Security Module (HSM) is used to store the master keys. It’s a good idea to limit the amount of data that can be encrypted with a single key, as well as to mandate a crypto period for every key – so that newly encrypted data can only be accessed with the new key version.

A centralised system

When you consider that an organisation may have millions of keys and operations taking place that need managing across multiple environments and for structured and unstructured data alike, having a centralised system is the best way to apply these practices consistently and rigorously. There are also increasing numbers of regulations and standards around the world that mandate strict control over encryption keys – so these practices are no longer just a ‘nice to have’, they are in fact the table stakes for doing business.

The value of having IT resources available anytime, anywhere via the cloud has been immeasurable for modern business, but in the race to take advantage of these services, businesses must not forget that the legal liability for the security of their data remains with them.

Rob Elliss is EMEA vice president, data and application security at Thales.