Cloud Data Security: Who Should Hold the Keys?

My Post - 2020-01-17T165711.645.pngNearly half (48%) of all corporate data is stored in the cloud according to the 2019 Thales Global Cloud Security Study conducted by the Ponemon Institute. Organizations admitted that on average, only about half (49%) of the data stored in the cloud is secured with encryption and only one-third (32%) believe protecting data in the cloud is their responsibility.

The reality is the cloud has created challenges in knowing where data is stored, who has access to it, and how to best secure it. A major catalyst to address the challenges of cloud security are new government regulations and compliance mandates that will make securing multi-cloud strategies more complex.

The question becomes “Who is responsible for cloud security, the cloud provider or organizations consuming cloud services?” According to the shared security model, the answer is both. Both cloud providers and enterprises are accountable and responsible for maintaining security.

Encrypting data in the cloud

For enterprises that elect to use encryption to protect their data, securing their encryption keys is of paramount importance. Enterprises want to leverage all of the advantages the cloud has to offer, but some of the benefits come at a price. In return for flexibility, scalability and automation, encryption key ownership is often given up to the cloud service provider, taking the control out of an organization’s hands, increasing compliance complexity.

When it comes to encryption keys, it is all about control. By default, the cloud provider generates the encryption keys on behalf of customers and manages the lifecycle of the keys. For many organizations that are hosting sensitive data in the cloud, this lack of sole control and ownership over encryption keys does not meet their compliance or internal security requirements. Instead, these organizations want full control over how and when encryption keys are used to protect and access encrypted data.


Bring Your Own Key (BYOK) allows enterprises to encrypt their data and retain control and management of their encryption keys. However, some BYOK plans upload the encryption keys to the cloud service provider infrastructure. In these cases, the enterprise has once again forfeited control of its keys.

Whereas BYOK allows you to host your key inside the cloud provider, Hold Your Own Key (HYOK) allows the enterprise to retain the physical ownership and logical control of customer managed encryption keys.

Enter Google Cloud’s External Key Manager

Last month, Google unveiled the alpha version of Cloud External Key Manager (Cloud EKM) and today the company is announcing it is now available in beta.

Cloud EKM enables organizations to leverage Google cloud services, and comply with complex regulations and policies by not giving up ownership and control of encryption keys. This allows organizations to connect their own key management system with Google Cloud’s Key Management system (KMS), and confidently secure their workloads.

Thales is working with Google to provide this capability. The integration between Google Cloud’s KMS and Thales will enable organizations to store encryption keys in their on-premises, colo, or cloud-based FIPS 140-2 level 3 HSMs as opposed to storing keying material in the Google Cloud Platform or a software-only KMS. As a result, access to internal and highly sensitive data associated with Google Cloud Platform services such as Google Compute Engine or BigQuery are now under the customer’s control.

Furthermore, when a service like BigQuery wishes to decrypt data for a query job, it will request that the data encryption key (DEK) that is used to protect the data in Google’s infrastructure be decrypted with a key service that will manage a key encryption key (KEK). – Read more

Data backup has never been more important

My Post - 2020-01-17T162549.713.pngBackup redundancy and disaster recovery

5 SaaS trends for 2020

My Post - 2020-01-15T184528.247.pngCustomer demands are forcing vendors to interoperate, creating hubs for multichannel experiences.

The cloud and software as a service transformed desktop workloads.

Organizations still have SaaS reservations, including governance and security concerns, but most businesses are SaaS-happy.

Microsoft owns the largest portion of the SaaS market, followed by Salesforce, Adobe, SAP and Oracle, according to Synergy Research Group’s Q1 2019 report.

While vendors are distinguished in the space, areas of expertise vary. Microsoft’s presence is felt across SaaS segments, but Oracle leads ERP, Workday owns HR and Salesforce is holding tight to CRM.

With each company fighting for a place in the SaaS domain, meeting customers’ needs and helping businesses achieve a sense of flexibility is an area for vendors to create differentiation.

SaaS trends to watch in 2020:

1. Low-code platforms will open the door to faster iteration

Adoption of low-code platforms — when done right — can enable quick tech iteration by providing business stakeholders tools to streamline workflows.

Developers, too, have embraced the technology. Half of developers say they’ve either adopted or plan future adoption of low-code tools, according to Forrester. In 2020, low-code platforms will become available to more workers inside the organization, as business leaders search for ways to power innovation.

Though a number of small- to mid-size players have a strong position in the market, larger vendors such as Microsoft and Salesforce will leverage existing relationships to expand use of their low-code platforms.

“With the increasing need to bridge silos, developing enterprise applications with faster release cycles will result in the increasing adoption of low-code platforms,” said Vijay Pullur, CEO of low-code platform WaveMaker, in an email to CIO Dive.

2. Communication is consolidating

Bundled cloud-based services pushed companies toward a holistic solution. Companies have landed on G Suite and Office 365 as a hub for all workloads. Communication is bleeding into a limited SaaS ecosystem.

In the last five to 10 years, companies have been looking for tools that meet them where they are.

Employees want tech to come to them, instead of having to reach for a digital asset or leave a platform to go collaborate, Jean-Marc Chanoine, global head of Strategic Accounts at Templafy, told CIO Dive.

The communication and collaboration market is shrinking. There used to be 35 to 40 vendors, according to Art Schoeller, VP, principal analyst for Forrester​, but it has shrunk to mostly heavyweights including Teams, Slack, Atlassian, Google, Dropbox and Smartsheet.

There are about five more years until the market plateaus, according to Gartner. Acquisitions are helping vendors squeeze in as many customers as they can before the plateau.

Legacy providers are breaking the confines of voice-only or message-only communications, which is what Cisco did when it acquired Jabber. RingCentral’s acquisition of Glip and ServiceMax’s acquisition of Zinc are carving a niche market to appeal to specific industries, like frontline employees, leaving the heavyweights to compete for enterprise customers.

If acquisitions aren’t feasible, APIs will become more valuable for cementing integrations.

Pure-play communication vendors have to create a solution that “plays well with the winners that are already there,” said Chanoine. “You’re going to end up with a lot of frenemies.”

3. Software developers will move more closely to line of business

Digital transformation won’t bring minor tweaks to how businesses operate. Instead, it will represent fundamental changes to what business do.

In order to bring about a smooth transition, most companies will need technical know-how at virtually all parts of the company. As outlined by Forrester in its 2020 predictions for software development, a “dev diaspora” will embed more technologists inside company divisions.

“Business stakeholders outside the IT org feel the increasing need to ramp up their own software capabilities and not rely on IT organizations or outsourcing,” said Chris Mines, SVP and research director at Forrester, in an interview with CIO Dive.

Providing business units with technical resources will increase the need for tech talent. One way companies will attempt to meet those needs is to embrace a larger share of workers from non-technical backgrounds, offering access to reskilling programs “as part of their onboarding process,” said Nancy Hornberger, EVP of healthcare at ElectrifAi, in an interview with CIO Dive.​​

Currently, less than 10% of rank-and-file staffers are involved with digital transformation efforts. That number is set to increase as digital transformation touches more sides of the business. – Read more