if you've been following the news lately, you've heard the buzz about the NSA's PRISM data surveillance programs.
Cloud
service providers, or CSPs, like Amazon, Microsoft and Google allegedly
installed equipment to capture data, in some cases, even bypassing
their own encryption.
If
your organization leverages the public cloud, which is very likely, you
need to have a basic understanding of how encryption works, and more
specifically, key management. Security technology and process doesn't
work the same once you have entrusted your data to another company's
network.
With encryption, legible data is converted into
ciphertext – which is just a bunch of meaningless characters. When data
is encrypted, a 'key' is created that will allow authorized people or
applications to decrypt, or 'unlock' the data. Keeping track of these
keys is one of the biggest challenges organizations face when
implementing encryption, but it may also be one of the most important
elements.
Now, consider this challenge when your data is being
hosted by a cloud service provider. Encryption best practices (along
with many regulations like the Payment Card Industry Data Security
Standard) dictate that encryption keys be stored separately from the
data they encrypt.
If
your CSP is assuring your data is safe because they encrypt it, don't
stop there. Make sure to ask them how the keys are being managed: Who
has access? How many keys are used? Is the key that encrypts your data
the same one being used to encrypt data from other companies? Where are
the keys stored?
Any encryption your CSP offers may not
give you the level of protection you expect or need. In most cases,
CSPs won't notify you if and when your data is being accessed.
If
you are concerned about data privacy, yet you want to take advantage of
the cost savings and elasticity a public cloud offers, try to find an
encryption system that allows you to manage and control the keys
yourself. If you have control of the keys, you can determine who is
given permission to access your data directly.
Your organization's
data has become your most important asset, as well as your
organization's responsibility. Who has access to it needs to be under
your control and not something that can be granted or denied by a cloud
service provider.
Published on: USAtoday
0 comments:
Post a Comment