Whether driven by regulatory compliance or corporate mandates, sensitive data in the cloud needs protection along with access control. This usually involves encrypting data in transit as well as data at rest in some way, shape or form, and then managing the encryption keys to access the data. The new conundrum for enterprises lies in encryption key management for data in the cloud.
When considering a Software-as-a-Service (SaaS) or Platform-as-a-Service (PaaS) offerings, protection for data-at-rest typically rests in the hands of the cloud service provider. Digging into the the terms of service or master subscription agreement reveals the security commitments of the SaaS/PaaS provider. For example, Salesforce.com’s Master Subscription Agreement indicates “We shall maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Your Data.” For Infrastructure-as-a-Service (IaaS), the security burden typically falls primarily on the cloud consumer to ensure protection of their data. Encryption is a core requirement for protecting and controlling access to data-at-rest in the cloud, but the issue of who should control the encryption keys poses new questions in this context.
When weighing where to maintain encryption keys, enterprises should consider several issues, including security of the key management infrastructure (a compromised key can mean compromised data), separation of duties (for example, imposing access controls so administrators can backup files but not view sensitive data), availability (if a key is lost, data is cryptographically shredded), and legal issues (if keys are in the cloud, law enforcement could request and obtain encrypted data along with the keys without the enterprise’s consent).
To Continue Reading: Click Here
By: Todd Thiemann