how can companies better control them?
While the Cloud offers many benefits, the confidentiality of the data used remains a focal point to promote its adoption. Their encryption is essential, but not sufficient.
To have full control over their data, companies must learn to manage their cryptographic keys on their own. This verification is the most relevant answer for companies to the problem of data security.
Data is a major challenge for companies. They have become the primary fuel for any business and often provide a competitive advantage for those who know how to manage them. But some data requires special attention: those of a personal nature and sensitive ones. To comply with regulations and minimize the risk of data theft or loss, organizations must implement various organizational and technical processes.
An increasingly difficult challenge. Three dates complicated data governance. The GDPR will become enforceable in May 2018. In October 2015 and July 2020, the Court of Justice of the European Union (CUJE) issued two important judgments, respectively Schrems 1 and 2, which shook the cards on the legal framework which allows the export of personal data. They ended the Safe Harbor and the Privacy Shield, two agreements between the United States and Europe to facilitate the transatlantic exchange of personal data, although the EU’s Standard Contractual Clauses (EU SCC) remain a valid mechanism for the transfer of personal data outside of Europe, as recognized by the European Commission.
A great question
Data privacy regulations require organizations that collect data to remain responsible for its confidentiality and protection, regardless of contractual or outsourcing arrangements. How can companies respond to this dilemma: leverage cloud performance while ensuring information security?
One solution is to encrypt personal and critical data. But beyond cryptography (a far from widespread practice *), the secure management of cryptographic keys is essential.
There are several key management methods: “Bring Your Own Key” (BYOK), “Hold Your Own Key” (HYOK) and “Bring Your Own Encryption” (BYOE). In the first two solutions, all data is encrypted by native cloud services. Cloud providers generate encryption keys by default and then manage the lifecycle of those keys for their customers.
Full control over your data
When you want to access your data with BYOK and HYOK, the provider asks your key server to provide it with the decryption key. When finished, you can delete it. But when working on this data, the provider has your key and can use it later. This is the weak point of these solutions that manage only the keys, but not the encryption guaranteed by the native techniques.
This situation is unacceptable for organizations hosting sensitive data in the cloud, as they must retain full control and ownership of their keys to continue to comply with internal security requirements and regulations.
Hence the need to implement strategies that allow companies to maintain complete control over when and how their keys are used to access and protect their encrypted data.
There are solutions on the market that consist of completely disconnecting from the supplier by relying on proprietary control and “Bring Your Own Encryption” (BYOE). It is an encryption key management system that allows companies to encrypt their data and maintain control and management of their encryption keys.
One of these, the result of a collaboration, comes in the form of an encryption platform compliant with ANSSI recommendations, which prevents the vendor from accessing the encryption key and the encryption method used. Companies thus maintain full control over their data stored in the Cloud, as well as over the encryption service provided by this platform.
This solution allows to respond with precision to the problem of data security, but requires great accuracy in its implementation, the main risk is the loss of the key.
In short, data encryption is critical to cloud security. But this is not enough. Businesses should be able to manage their own keys. With BYOE and a sovereign control platform, organizations no longer have to worry about where their data resides.
* A study published by Thales in June 2021 shows that only 17% of companies encrypt at least half of their sensitive data in the cloud.