Why you should own the key when encrypting data in the cloud

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Cloud computing services have become so easy to use that users commonly upload, view and download files and access applications anytime, anywhere, from any device. But they probably aren’t stopping to consider whether the files they're uploading should be encrypted, or even uploaded in the first place.

The responsibility to safeguard that corporate data still rests on the shoulders of IT, and as a matter of standard practice, IT should enable automatic encryption of every piece of information before it's sent to any cloud service.

Sophos recently surveyed 1,700 IT decision makers across six different countries and multiple industries to determine how, or even if, they’re using encryption. According to our "The State of Encryption Today" report, cloud data security is one area driving increased adoption of encryption. More than eight in ten companies (84%) expressed concern about the safety of data stored in the cloud. However, although 80% of respondents use the cloud for storage, only 39% encrypt all files stored in the cloud.

Why? For many of the same reasons they're not encrypting data they store locally.  In fact, budget, performance concerns and lack of deployment knowledge were the top three barriers to implementing an encryption solution cited in the survey.

It appears it doesn’t matter whether data “lives” on-premises or in the cloud. Nearly one-third (30%) of organizations fail to always encrypt their own corporate financial information and 41% inconsistently encrypt files containing valuable intellectual property, despite the increasing risks of economic espionage.

Even private, highly sensitive employee data such as banking details, human resources (HR) files, and personal healthcare records, are frequently not encrypted:

  • 31% of the companies that store this type of data admitted that employee bank details are not always encrypted
  • 43% don’t always encrypt employee HR records
  • Nearly half (47%) of those that store employee healthcare information fail to always encrypt these records

Failure to adequately protect this information could open doors to significant financial damage and possible legal action in the event of a data breach. A company could also fall out of compliance with laws and industry regulations that require businesses to take responsibility for protecting customers' and employees' sensitive data, such as medical records, credit card numbers and other personally identifiable information.

Bring your own key

Even if a cloud service provider does offer to encrypt files after they arrive on its servers, it is critical that you encrypt data before it's sent. While service providers come with many benefits, it’s difficult for the service provider to verify who has accessed the data once stored there. Was it the legitimate user, a thief who used a phishing attack or other malware that tricked a user into handing over credentials?

You should adopt a policy of bringing your own key, which means the cloud provider will never hold the key that encrypted the data, and therefore they can’t be responsible for decrypting it.  Encrypting data before it goes up to the cloud enables you to encrypt it in transit across the network and when it arrives and is stored on the cloud service provider’s systems. Only your users will be able to access their data because they have access to the key. An opportunistic thief who steals a user’s credentials and accesses the cloud service will only ever see encrypted data. This may sound complex and time-consuming, but the entire process happens automatically and instantly with no need for human intervention on the part of your users or the cloud service provider.

Encrypting files before sending them to the cloud service provider will provide better security, but it can actually disable some value added features from the provider. For example, being able to view previews of files without having to download and open them in a program like Microsoft Word or Excel. If those files are encrypted, you stop a thief from knowing its contents, but you also stop those value added services from inspecting the content of the file.

Educate your users

You should still regularly educate your users on how to determine when it’s appropriate or not to upload a file to the cloud. After all, you don't want someone looking for photo headshots of executives for a marketing presentation to stumble across and accidentally (or intentionally) open those executives’ employment contracts.

There's no such thing as one general encryption level for all data. User education should also include training on how to set permissions to ensure sensitive information is only accessible to appropriate personnel both inside and outside the company.

A cloud-based management console that enables IT to view real-time information on all devices connected to the network, including the ability to track data that goes to cloud services, will provide a comprehensive picture of how information is moving across the network.

But, let me be clear, establishing this level of visibility does not require your encryption technologies to include a back door.

Why backdoors don’t work

Cryptography is based on trust, and violating that trust undermines the effectiveness of encryption technology. Users will not want to store information in either on-premises or cloud applications that they discover include a backdoor. Instead, they will turn to other applications, often without IT's knowledge or permission. Backdoors in encryption undermine freedom of speech and the freedom to conduct our affairs without interference or fear.

Realize that backdoors are open to anyone, not just authorized IT personnel. Malicious insiders, foreign spies and criminal hackers could wreak havoc if they discover a backdoor. Therefore, backdoors subvert its effectiveness by introducing an enormous risk of security vulnerabilities. Backdoors in reputable commercial software would not prevent bad actors from finding alternative forms of encryption to hide their activities and communications.

In summary, the most effective course of action is to partner with a vendor or your solutions provider to ensure the encryption technology you implement actually does what it says it promises "on the box."

Take responsibility for encrypting all data, whether you move it into a cloud service like Box or Salesforce, and bring your own key so the service providers are not able to access files without first receiving permission from your users.

In today’s connected society where organizations are increasingly migrating applications and information stores from on-premises to the cloud, we will never be secure against cyberattacks without strong encryption. Today’s cyberattacks are becoming more complex, with advanced attackers using multiple points of entry to get around security software. Encryption is the last line of defense in a cybersecurity strategy that requires multiple layers of protection.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.

IT Salary Survey: The results are in