Security has become a top priority for organizations of late. It is not surprising given the recent string of startling revelations about NSA surveillance, enterprise data breaches of major companies like Sony and the increased media spotlight on security/privacy concerns.
The majority of business enterprises are shifting over to cloud technology but there are several issues that still need to be resolved. The NSA leaks have shown that even major cloud vendors can be forced to hand over data on their clients or their databases hacked into secretly, leaving no recourse for affected customers. Many cloud vendors have started encrypting their suite of services but that does not ensure immunity of data from government seizures (although it can prevent damage by criminals, hackers etc.)
To alleviate customer concerns about data access and ownership, companies like Microsoft and Amazon offer Bring Your Own Key or BYOK computing. It means that the organization will have to provide the encryption keys for data that is stored on the vendor’s cloud. It ensures that even the vendor’s own employees have no access to the unencrypted data and the company cannot be forced to hand over keys that it does not have, thus protecting it from governments as well.
BYOK may possibly be the solution that many organizations are looking for – especially financial services companies or others that store sensitive/confidential data. While encryption prevents unauthorized access, BYOK provides additional peace of mind that even government (American or otherwise) agencies cannot access company data without a valid warrant.
But bringing your own keys is not as easy as it sounds in theory. For one thing it negates much of the convenience of shifting to the cloud since the organization has to set up and manage the infrastructure for creating and securely storing keys. It is an expensive and time-consuming process for which the organization has to assume complete responsibility.
Secure key management infrastructure is not just a matter of encrypting data, controlling access and creating/managing security keys. Essentially the organization has to act like a bank and even monitor daily activities or travel plans of executives who are in charge of (or otherwise have access to) the keys. For instance, if two or three executives have authorization to access the keys, the company should ensure that they never travel together in case of accidents etc.
This is because the vendor does not have access to these keys in any shape or form whatsoever. So if the keys are stolen, lost or otherwise compromised, the organization will lose all access to its own data. There have been instances where companies have lost enterprise keys to hackers and then having to pay millions of dollars to get them back. That level of security and key management is beyond the scope of most organizations and even larger companies may prefer to let the cloud vendor manage the keys instead of bringing their own.
As always, it is up to the organization to decide how far they are willing to go in pursuit of security and even more importantly, whether they have the capabilities to implement it themselves.