When it comes to encryption, IT is constantly being told to “own the keys.” But why? Isn’t it OK if your provider owns the keys?
Encryption keys are how you unlock encrypted data. Whoever or whatever owns the keys has access to the data. When moving and storing data in the cloud most providers encrypt data but they also maintain key ownership. They are not doing this because they want access to your data necessarily, they are doing it so they can provide assistance with various data management requests, as well as provide value added services.
For example, if a user deletes a file or even a whole directory a provider that with the keys should be able to help the recovery effort. For an organization with a thin IT staff, this extra help may be exactly what they need.
Another example is a provider that wants to provide additional services on the data you are storing in their cloud. Services might include context level search, or the tiering of data to lower long term retention costs.
While the motivation to hold these keys on behalf of their customers is genuine, there is a risk. That provider does have full access to your data. They may promise not to expose it. But if the provider faces a court order, the provider will deliver that data to the interested party. In fairness if your organization is faced with the court order it may decide to do the exact same thing. But that should be the sole decision of the executive team not the provider.
It’s not just protection from a lawsuit. Let’s assume the provider gets hacked. At that point the encryption keys are more than likely hacked as well. All of its client’s data is now exposed. If the organization owns the keys, then even if the provider is hacked your data is protected. The hacker would have to crack the provider and your keys to get to the organization’s data.
The idea of getting hacked also highlights the need for the organization to not only maintain the keys but the data itself. Today private cloud storage solutions offer much the same benefit public cloud provider do. While they do have a greater upfront cost, the long term savings of private storage is simple math. For a quick overview of these costs, checkout my article, “What’s better than Cloud Storage for Cold Data?” For a detailed comparison of costs, please read my colleague Joseph Ortiz’s article. “Tape vs Cloud for Archive and Cold Data.”
Securing The File Use Case
One area that organizations look to the cloud for help is when developing a file strategy, often focused on file sync and share. For small organizations the cloud as the host may be ideal, but for larger organizations, and especially the enterprise, it probably is not. These organizations may be better off implementing a private cloud storage solution on-premises and a developing a file strategy that includes not only file sync and share, but remote office data distribution and end-point data protection.
To learn more about developing a secure file strategy check out our on-demand webinar, "5 Must-Haves to Achieve Total File Security in the Cloud."
Owning the encryption keys and saving the organization from potential exposure is more important to most organizations than the potential value add that providers might be able to deliver. There is simply too much risk if a provider owns the keys. Key ownership does come with responsibility and the internal solution selected does need to protect those keys from loss. The organization also needs to follow best practices as far as key administration.