Ask any Enterprise File Sync and Share (EFSS) vendor if they provide encryption and you are going to get a emphatic, “Yes!” They will claim end-to-end encryption and let you assume that you are covered. But are you really? Certainly end-to-end encryption is important and offers a base level of security but if the EFSS vendor owns your keys then you may not have the protection you might think. In this StorageShort, Storage Switzerland and Ctera discuss the importance of key ownership as part of the encryption process.
Key Ownership is Key
After ticking the end-to-end encryption checkbox, IT professionals need to dig deeper and understand key ownership. In most cases they are going to want the organization to own the encryption keys, not the provider. There are two main reasons why. First, if a judge orders the provider to turn over your organization’s data, the provider will. In some cases providers are under no obligation to tell you they have done that, and in others they may be explicitly ordered by a court not to tell you the request has been made.
If you own the keys, you still may decide to follow the court order to turn over data, but the decision to turn that data over should be the decision of the organization and no one else. Even if the organization does comply with an order to release data, at least it knows it is happening and can begin to prepare for any backlash.
The second reason for an organization to control its own keys is what if the EFSS provider gets hacked, exposing all of the keys it controls? The hacker now has access to all of your stored data. In many cases the EFSS vendor may not alert its customers for fear of public backlash. In other words, data may be exposed without the organization knowing it. Obviously, every organization is susceptible to a cyber threat. But again, the chances of knowing a hack occurred goes up substantially if the organization owns the key.
Encryption is just one key element of a EFSS strategy. To learn about the other elements, data residency, advanced authentication, secure access and user acceptance, watch our on-demand webinar, “5 Must-Haves to Achieve Total File Security in the Cloud“.