Cloud Data Security: Who Should Hold the Keys?

My Post - 2020-01-17T165711.645.pngNearly half (48%) of all corporate data is stored in the cloud according to the 2019 Thales Global Cloud Security Study conducted by the Ponemon Institute. Organizations admitted that on average, only about half (49%) of the data stored in the cloud is secured with encryption and only one-third (32%) believe protecting data in the cloud is their responsibility.

The reality is the cloud has created challenges in knowing where data is stored, who has access to it, and how to best secure it. A major catalyst to address the challenges of cloud security are new government regulations and compliance mandates that will make securing multi-cloud strategies more complex.

The question becomes “Who is responsible for cloud security, the cloud provider or organizations consuming cloud services?” According to the shared security model, the answer is both. Both cloud providers and enterprises are accountable and responsible for maintaining security.

Encrypting data in the cloud

For enterprises that elect to use encryption to protect their data, securing their encryption keys is of paramount importance. Enterprises want to leverage all of the advantages the cloud has to offer, but some of the benefits come at a price. In return for flexibility, scalability and automation, encryption key ownership is often given up to the cloud service provider, taking the control out of an organization’s hands, increasing compliance complexity.

When it comes to encryption keys, it is all about control. By default, the cloud provider generates the encryption keys on behalf of customers and manages the lifecycle of the keys. For many organizations that are hosting sensitive data in the cloud, this lack of sole control and ownership over encryption keys does not meet their compliance or internal security requirements. Instead, these organizations want full control over how and when encryption keys are used to protect and access encrypted data.


Bring Your Own Key (BYOK) allows enterprises to encrypt their data and retain control and management of their encryption keys. However, some BYOK plans upload the encryption keys to the cloud service provider infrastructure. In these cases, the enterprise has once again forfeited control of its keys.

Whereas BYOK allows you to host your key inside the cloud provider, Hold Your Own Key (HYOK) allows the enterprise to retain the physical ownership and logical control of customer managed encryption keys.

Enter Google Cloud’s External Key Manager

Last month, Google unveiled the alpha version of Cloud External Key Manager (Cloud EKM) and today the company is announcing it is now available in beta.

Cloud EKM enables organizations to leverage Google cloud services, and comply with complex regulations and policies by not giving up ownership and control of encryption keys. This allows organizations to connect their own key management system with Google Cloud’s Key Management system (KMS), and confidently secure their workloads.

Thales is working with Google to provide this capability. The integration between Google Cloud’s KMS and Thales will enable organizations to store encryption keys in their on-premises, colo, or cloud-based FIPS 140-2 level 3 HSMs as opposed to storing keying material in the Google Cloud Platform or a software-only KMS. As a result, access to internal and highly sensitive data associated with Google Cloud Platform services such as Google Compute Engine or BigQuery are now under the customer’s control.

Furthermore, when a service like BigQuery wishes to decrypt data for a query job, it will request that the data encryption key (DEK) that is used to protect the data in Google’s infrastructure be decrypted with a key service that will manage a key encryption key (KEK). – Read more

Data security and the cloud: 3 things your team needs to know

My Post (93).pngIncreasingly, companies are moving their data and processing to cloud services. It’s easy for this out-of-sight data to be out of mind when it comes to security, but if anything, it should be top of mind because it’s even more exposed than is on-premises data. With regulators issuing record fines for privacy violations, developers need to make sure they secure their data in the cloud.

Fines for privacy violations will only increase in 2020. In 2019, after one year of General Data Protection Regulation (GDPR) enforcement in the European Union, there were over 59,000 personal data breach notifications across Europe, along with 91 reported fines. France’s National Data Protection Commission fined Google $57 million for improper processing of personal data for advertising purposes. With more violations occurring with respect to data stored in the cloud, data owners, developers, and CISOs need to focus on cloud data security.

In July, the Information Commissioner’s Office of the United Kingdom announced that a large European airline would be fined 1.5% of its 2017 revenue, or $230 million, for allowing attackers to modify its website, scraping personal and financial details using a malicious JavaScript component.

“While we can never know how much reach the attackers had on the airline’s servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets,” stated a RiskQ analysis of the issue.

Such data breach fines are only increasing. The EU’s GDPR allows fines of up to 4% of revenue per violation. California Consumer Privacy Act (CCPA) fines companies that fail to protect their users’ data can be fined up to $2,500 per violation—and $7,500 per willful violation—per individual whose data was breached. And fines under the Payment Card Industry Data Security Standard (PCI DSS) will likely rise as well.

Traditionally, having data stored locally meant attackers had to compromise the corporate network before gaining access. While the past reminds us that this has occurred all too often, at least that network was under local control and monitoring. Services on demand allow attackers to access sensitive data if they can bypass cloud access security—which is typically under the control of the cloud provider, and opaque to the enterprise. – Read more