More sensitive data in the cloud
Organizations are putting more sensitive data in the cloud. According to the 2020 Global Encryption Trends Study conducted by the Ponemon Institute and sponsored by Entrust Security and Entrust Datacard. Fifty-eight percent of the 6,457 respondents, across multiple industry sectors in 17 countries, say their organizations transfer sensitive or confidential data to the cloud whether or not it is encrypted. Another 25 percent of respondents expect to do so in the next one to two years.
The study also asked how do organizations protect data at rest in the cloud? Forty-five percent of respondents who are encrypting their data say encryption is performed on-premises prior to sending data to the cloud using keys their organization generates and manages. However, 36 percent of respondents perform encryption in the cloud, with cloud provider generated/managed keys. Twenty percent of respondents are using some form of bring your own key (BYOK) approach.
For those of us in the digital security industry, there are two problems here:
- The apparent number of respondents not protecting their data in the cloud at all
- The 36 percent of respondents using “cloud provider generated/managed keys”
The risk of not protecting at all
Those storing sensitive data in the cloud and not protecting it at all through encryption or otherwise making it unreadable are in multiple forms of jeopardy. They are not compliant with numerous government regulations and industry directives including the EU’s General Data Protection Regulation (GDPR); the U.S.’s GLBA, HIPAA, and FedRAMP; the Monetary Authority of Singapore Guidance; PCI DSS; and many more. And perhaps more important, when their data is breached, and the probability is that it will be, they will be forced by data breach disclosure laws to report the breach to those whose data has been stolen. This, of course, can lead to lack of trust from stakeholders, fines, legal costs, and tumbling revenue and share prices. These organizations need to protect themselves by obfuscating their sensitive data and protecting their keys.
The risk of using “cloud provider generated/managed keys”
A basic principle of any kind of security is that once something is locked, the more control you have over the key to the lock, the more control you have over the overall security of what’s behind the lock. If your cloud provider manages your keys, you are adding another threat vector to your data security. This is why it is best practice to manage your own keys using hardware security modules (HSMs).
Hardware security modules
As most of you know, HSMs are hardened, tamper-resistant hardware devices that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data and creating digital signatures and certificates. HSMs are tested, validated and certified to the highest security standards including FIPS 140-2 and Common Criteria. Think of HSMs as safes for your keys.
But if an HSM is a hardware device, how can you use it in the cloud?
nShield as a Service
nShield as a Service uses nShield HSMs to generate, access and protect cryptographic key material separately from sensitive data. All nShield HSMs are managed through Entrust’s unique Security World key management architecture that spans cloud-based and on premises HSMs. This lets customers efficiently scale HSM operations while retaining control of their key material, even if they change their cloud service provider.
Organizations can use nShield as a Service to supplement or replace on premises HSMs, while keeping the benefits of HSM ownership. The subscription model lets enterprises budget predictably, manage capacity, reduce data center footprint, and decrease time spent on routine maintenance and monitoring.
And, unfortunately, in these days of the COVID-19 pandemic, it’s unrealistic to travel to your own data centers to set up HSMs. Using nShield as a Service, you can set them up remotely at one of our data centers in the U.S. or the U.K.
Entrust is independent of the big cloud service providers, and we’ve provided roots of trust through our HSMs for over twenty years. Now, we can provide that same root of trust through nShield as a Service.