Customer-owned encryption and key management

Many leading companies are embracing change. They’re treating data as a shared resource between key stakeholders and using analytics to find untapped value. They’re embracing hybrid multicloud to gain agility and competitive advantage.

But the success of all this change can depend on properly securing enterprise data, especially the data entrusted to public cloud storage. When data is managed by a cloud service provider (CSP), the data may still be vulnerable to unauthorized user access and manipulation. A strong data security strategy carefully considers who ultimately owns and controls the data.

Encryption and encryption key management make up the cornerstone of data protection. Security experts and regulatory compliance mandates recognize encryption as an underlying control for data on the cloud and on-premises. In a scenario where an organization maintains ownership and control over extensive use of encryption and key management, the extent and severity of a possible data breach can be mitigated.

Encryption can help keep sensitive data safe and confidential as well as help address compliance with government and industry regulations. Essentially, encryption scrambles or codes data so that the information remains unreadable to unauthorized users. The only way to gain access to the original plain text or data is with the encryption key.

Encrypted data is only as safe as these keys. Encryption keys must be carefully managed throughout the encryption key lifecycle. This oversight includes generating, deploying, storing, archiving and deleting keys and performing other important functions such as rotating, replicating and backing up keys. Keys can be lost, or mismanaged, so backup keys are essential.

Without a backup, keys that are lost or deleted — a process called cryptographic erasure — forever secures or bars access to the encrypted data. Cryptographic erasure could be beneficial if an organization is looking to safely dispose of old storage devices, which may hold sensitive data. But if an encryption key is deleted by accident, it may be impossible to retrieve the encrypted data without a backup key.

In order to minimize any mismanagement, a robust encryption strategy should carefully consider every facet of the process from the encryption method to administration of the keys.

The benefits of data encryption

According to The Ponemon Institute’s Cost of a Data Breach Report 2022, sponsored by IBM Security™, deploying extensive encryption can be a substantial cost mitigating factor in the event of a data breach.

Impact of key factors on the average total cost of a data breach | Measured in USD

Figure 1. Encryption ranks among the top 5 key cost mitigating factors for a data breach.¹

While encryption and key management alone do not provide comprehensive data security, both activities are important steps to consider in securing the hybrid multicloud environment. The Cost of a Data Breach Report outlines steps that organizations in the study have taken to help reduce the financial cost and reputational consequences of a data breach. For sensitive data in cloud environments, the report suggests protecting data using policy and technology, which include but are not limited to the following:

• Data classification schema and retention programs
• Vulnerability scanning
• Penetration testing
• Red teaming
• Encryption

Zero Trust and data encryption

As organizations deal with the explosion of data, which increasingly resides off premises, many security and risk leaders are looking towards a Zero Trust security model to structure their use of policy and technology. In essence, a Zero Trust framework involves creating micro-perimeters and micro-segmentation down to the individual file, folder or database level and only providing access to users with a need to know.

At the center of Zero Trust is data – who has access to it and how it is being used. Encryption fits into the Zero Trust model by protecting and ensuring access to data is limited to permitted users and processes. Continuous recertification of access rights and encryption key rotation are integral to a Zero Trust approach to data security.

Technology experts encourage security and risk leaders to understand the current and future state of their data – such as whether the data is at rest, in transit or in use – in order to protect it with an appropriate encryption tool set.² However, just as important to data protection is understanding who owns, controls and has access to those encryption tools and technologies.

As a best practice, encryption keys should not be stored with the data that those keys are protecting. In addition, the administrators managing those encryption keys should not have access rights to the encrypted data. This separation of duties can help minimize the possibility of unauthorized access to the encrypted data.

While customers may expect these principles of separation to be applied to data in the cloud, they may not be in a position to verify if it’s occurring. An audit of the CSP would be difficult to conduct.

Two scenarios for encryption ownership

Sharing or giving over control of encryption and encryption keys to CSPs may have certain benefits such as cost savings and enhanced agility. But customer-managed encryption can provide some peace of mind about the security of encrypted data.

For data stored in the cloud, the following two general positions occur for encryption ownership and control:

1. Service provider-managed encryption: A third party, such as a CSP, encrypts data on behalf of the customer. The provider has access to sensitive data in its unencrypted form and holds the encryption keys. In some arrangements, the customer is allowed to manage the use of encryption keys, but the provider still creates the keys and has access to unencrypted data. Ultimately, the customer does not own or control the encryption or the encryption keys.
2. Customer-managed encryption: The customer owns the encryption and the encryption keys. Requests and approvals to access data are overseen only by the customer. The customer manages the encryption key lifecycle and storage.

The first scenario can expose additional vulnerabilities to encrypted data and encryption keys. By giving control of the encryption and encryption keys over to CSPs, the encrypted data is susceptible to the security breaches of the cloud.

In the event of issues with payment or any other business transaction, the CSP could prevent customers from accessing their own data. In addition, requests for data access by a government agency or other authority would be routed to the CSP for validation, rather than to the customer.

The benefits of customer ownership

Customer ownership can mitigate these exposures from service provider-managed encryption. When customers own and control the encryption and encryption keys, they can define user access permissions and enforce consistent policies across the hybrid multicloud environment. This means that third parties — such as the government — cannot access the data or keys through the CSP without working with the customer.

While data can be successfully managed in the cloud by a trustworthy provider, there will always be risk. The customer is ultimately responsible for what might happen to data itself.

Organizations whose security teams manage their own encryption should encrypt any sensitive data before storing that data in the cloud. These organizations should extend encryption technologies to the cloud where possible, such as encrypting and managing access policies to containers.

Ownership of encryption key management is necessary to close the security gap for encrypted data in the cloud. That encrypted data may still be exposed when an application obtains permission to read. Customer-managed encryption keys can more finely control user and application access.

Customer-managed encryption keys

When left to the CSP, encryption keys often reside in cloud key managers delivered from multitenant hardware, which may be incompatible with the customer’s security needs and compliance requirements. The next best defense may be to use a dedicated key management product offered by a reputable security vendor. Solutions with Bring Your Own Key (BYOK) or Hold Your Own Key (HYOK) capabilities allow customers to store and manage encryption keys removed from the CSP. Rather than taking the key generated by the cloud provider, BYOK allows customers to generate their own key materials. This process prevents the CSP from ever seeing the key, just as long as the customer does not upload the key to the cloud key manager.

Customers can hold onto their keys and retain physical ownership by either storing the keys with their dedicated key manager solution or with an on-premise hardware security module (HSM). This key management arrangement brings centralized control over cloud encryption keys and access policies – which can vary between CSPs – and returns control of the cloud data to the customer.

Consistent and centralized management of encryption policies and encryption keys is important for data protection. As data volumes grow, the use of encryption and the number of encryption keys grow as well. More visibility into these moving pieces can help organizations confirm that only approved users have access to the data they need to keep the organization running.

A central management console that unites user access policies, encryption technologies, HSMs and self-encrypting devices and applications can provide more insight into an organization’s security posture than siloed solutions and policies. Unified data protection can ultimately help to close security gaps that would otherwise be difficult to detect.

Regarding encryption key management, organizations can simplify handling keys by pursuing a single technology provider for all their encryption key needs or minimizing the number of providers. Taking such a step can help reduce human error by centralizing and automating key management processes, which may also free IT teams to pursue higher priority tasks.

Support of interoperability protocols is a key criterion

IT and security teams often struggle to manage and integrate the proliferation of security tools, which may be due to the lack of common standards. Fortunately for key management, Key Management Interoperability Protocol (KMIP) has made unified data protection easier to achieve. Established in 2007, KMIP operates under the Organization for the Advancement of Structured Information Standards (OASIS), a nonprofit that promotes the development and adoption of open standards. The goal of KMIP is to help organizations to centrally manage encryption keys from different encryption technologies.

Many interoperability protocols are in the marketplace, with Representational State Transfer (REST) emerging as another standard in demand for centralized key management. Leaders in data security, such as IBM®, have taken charge to support these standards, which can help customers to extend and maximize the value of their existing investments. Organizations that invest in solutions supporting these protocols may be better positioned to enable consistent management of keys and access policies. Such benefits as operational efficiency and quicker disaster recovery can occur through this implementation.

With proper encryption and encryption key management, data can be more secure and indecipherable even in the event of a breach or malware attack. A central encryption management console can provide IT and security teams with greater control over encrypted data. But how can an organization be sure that all sensitive data that should be encrypted has been identified and scheduled for encryption?

To apply encryption strategically, IT and security leaders should understand where their data exists and might migrate and how to classify sensitive data by its value and level of risk. An interactive data risk manager with complementary capabilities such as data discovery, classification, analytics and risk evaluation can provide added value to a smart data security strategy that already uses encryption and key management.

Additional visibility into all sensitive business data can help business and IT leaders to grasp which parts of the organization may be at risk and to apply mitigating actions such as encryption. An end-to-end view with visualizations of the organization’s security posture can help communicate the state of security so that business executives and data risk officers may take action where needed.

The cloud offers many advantages, but no matter where the data is stored, the responsibility of securing the data falls on the customer. When the customer owns and controls the encryption and encryption keys, an attack or unauthorized access to the encrypted data through a third party such as a CSP can be mitigated.

A strong data protection strategy provides customers with authority over their data and is designed to permit only approved users to decrypt data for specific sanctioned purposes. This strategy is also centered on strong communication and policy enforcement across encryption solutions and key managers, so that as organizations embrace change, encryption can continue to adapt and protect.

Learn more about how to achieve smarter data security.