Thanks to Cloud ComputingOrganisations of all shapes and sizes have benefited from the flexibility of it capacity without the cost and challenges of maintaning their own infrastructure. Hyperscale Public Cloud Providers and Saas Tools to Help with a Vast Array of Business Processes Have Been A Particular Bowon For Small and Fast-Growing Organizations, Helping UP The Kind of Resource that just a more decades ago would have taken many months and significant financial cost to build and mainTain themselves.
Forget about 'set and forget'
Using cloud computing effectively and safely, howyver, requires care. One of the big draws of cloud services, is the ability to scale resources up and down as needed. Maybe there's a project starting for a more months that will require some data processing and analysis, or there are seasonal demands for services which needed additional resource. The cloud allows businesses to meet these needs without having to pay to keep that spare capacity Around. But the benefits of only paying for what's needed are only possible if the business keeps on top of where their data is stored, and in what tier – rather than falling into the trap of setting and forgetting.
The same applies for security this data. Under Most Public Cloud Provider Contracts There is a Joint Responsibility Between the Cloud Provider and the Customer for the Security and Availability of the Stored Data. This can vary widely depending on the type of service that has been procured, so it is important for all Organizations to Think Carefully About About What is Best Stored where, and at what SAT SACUTY GOTY SACTY SECUTY GATE SECURITY GATA DATA DATA SARED BEST
In Practice This is Easier said than done. Not even organisation has the technical knowledge in place to keep on top of configuring and managing their cloud services – no matter how how critical they might be to keeping the organisation running. Other May Think they have security through obscure being just one of many millions of public cloud customers – or trust they've not experienced an attack year
Organizations may also be untilar on the details of the contracts they've signed – they are still legally responsible for the Security of his own data, Wherever it's stored. Public Cloud Providers May Act to Quarantine Affected Encryption Keys If a Breach is Discovered, but if Public Cloud Credentials are compromised and data is head for raansom, there ' Providers are legally responsible for.
The risks of poorly managed encryption keys
Recent Attacks on Cloud storage instals underscore the importance of getting this right. One Cyber Crime Group Dubbed 'Codefinger', For Example, Have Attacked At Least Two Victims by Stealing aws customer account credentials And using the Built-in encryption to lockdown their data. This is made possible by the fact that many companies are regularly monitoring and auditing the encryption keys they have in place, revoking permissions for that which are no longed.
There are also Duplication and Visibility Challenges, with Over Half (53%) of Organizations Still having five or more key management systems in place, according sing The 2024 Thales Data Threat ReportEncryption key management needs to be taken as serially as all the other cybersecurity measures an organization has been in place.
Separation of duties
Luckily, Effective Practices Around the Generation, Storage and Use of Encryption Keys Have Been Clearly Defined for some time. The strength of the keys chion, for example, needs to align with the sensitivity of the data. Some Applications May Benefit from the use of rsa key pairs, so that third parties can authenticate with a public key, while the data remain encrypted with a private key.
MainTaining a Separation of Duties is also Advisable, So that Thos Creating and Managing The Keys do not also also have access to the protected data. Dividing Responsibilites in this way Reduces The Risk of a Successful Attack Via Social Engineering or Credential Compromise, which one would threats full administical access.
Tracking and coordinating the use of encryption keys is also easy they are stored in a secure vault with specific permissions, or if a a hardware sexuality module (hsm) is used to stores Keys. It's a good idea to limit the Amount of data that can be encrypted with a single key, as well as to mandate a crypto period for every key – so that newly encrypted data can on With the new key version.
A Centralized System
When you consider that an organization may have millions of keys and operations taking place Way to apply these practices consistently and rigorously. There are also increasing numbers of regulations and standards Around the world that mandate related control over encryption keys – so these practices are no long to love to one in 'nice to love' For Doing Business.
The value of having it resources available anytime, anywahere via the cloud has been immeasurable for modern business, but in the race to take advantage of these services, businesses Liability for the security of their data remains with them.
ROB Elliss is Emea Vice President, Data and Application Security at Thales,