Story image

Encryption in 2016: Are you the key master?

19 Apr 2016

In a world where perimeter security measures have proven ineffective in stopping data breaches, encryption is the only way to truly make data useless to those who are not supposed to have access to it. As a result, the importance of who owns the keys to encrypt and decrypt the data has become even more important. Put plain and simple, whoever owns the keys (or has access to them), also owns the data.

As more companies move their data to the cloud using encryption to protect it, key ownership is increasingly important in order to maintain total control of encrypted data in the cloud, for security and for compliance.

Some major cloud providers have taken notice of this. One example happened recently when Box launched its new enterprise cloud storage service, building it around a significant feature known as the customer-managed key. This gives customers full control over the keys that play a crucial role in the encryption of their data, representing a critical divergence from other popular services, such as Salesforce.com and AWS, which manage the keys for the customer.

What are the different approaches to key management?

Key management is the processing and storage of keys that control who can decrypt and access protected information. This is a critical and yet often overlooked element of encryption. Too many organisations leave key management up to their vendors or store the keys inconsistently across their IT infrastructure in both hardware and software. That lack of centralised control can jeopardise the integrity of encryption. Often management of the keys is more important than the encryption itself, because if something happens to the keys, entire sets of data can be stolen or permanently lost.

Demonstrating control of data is a critical element of compliance. But it’s not full ownership without total control and ownership of the encryption keys. Salesforce has included important safeguards to its Platform Encryption in order to prevent any mishandling of the customers’ keys on their end. Still, at the end of the day, the keys cannot leave Salesforce, meaning their customers don’t necessarily have full control.

The other approach is to take the third party provider out of the equation and put the keys in the hands of the customer. This is the approach Box is taking. From a customer’s perspective, managing your own encryption keys may seem like a tall order, but it actually makes sense if you need to eliminate any chance of a vendor exposing your keys. Imagine if someone else was in charge of your house and car keys. Every time you have to get into either one, you need to go through that second party, and you live with the constant risk that the keys could be lost, leaving you with no recourse.

For those who are up to the challenge, customer-managed keys are a way around this problem. This approach gives control goes back to the data’s owner, and an external vulnerability is removed from the equation. This is the reason why organisations like Box are taking this approach.

While there are some drawbacks involved with key administration, more and more high-profile services and organisations seem to be giving their customers the opportunity to manage their own keys. This is another indication of just how seriously encryption is being taken by the tech industry in response to an increasingly security-fluent public.

If you would like to know more about innovative solutions from Gemalto, click here.

Gemalto offers one of the most complete portfolios of enterprise security solutions in the world, enabling customers to enjoy industry-leading protection of digital identities, transactions, payments and data. Through Gemalto’s portfolio of SafeNet Identity and Data Protection solutions, enterprises across many verticals take a data-centric approach to security by utilising innovative encryption methods, best-in-class crypto management techniques, strong authentication and identity management solutions to protect what matters and where it matters in an increasingly digital world.

HPE launches 'right mix' hybrid cloud assessment tool
HPE has launched an ‘industry-first assessment software’ to help businesses work out the right mix of hybrid cloud for their needs.
IDC: Innovative wearable use cases drive double-digit growth
Wristbands are set to lose their dominance as hearables and industrial applications keep the wearables market moving forward.
Turtle Beach buys ROCCAT, bringing more 'victories to gamers'
Germany-based Roccat already has a significant presence in Europe and Asia, which means Turtle Beach will likely take advantage of that growth. Expect to see more Turtle Beach products on the shelves. 
NVIDIA introduces a new breed of high-performance workstations
“Data science is one of the fastest growing fields of computer science and impacts every industry."
Apple says its new iMacs are "pretty freaking powerful"
The company has chosen the tagline “Pretty. Freaking powerful” as the tagline – and it’s not too hard to see why.
NZ ISPs issue open letter to social media giants to discuss censorship
Content sharing platforms have a duty of care to proactively monitor for harmful content, act expeditiously to remove content which is flagged to them as illegal.
Polycom & Plantronics rebrand to Poly, a new UC powerhouse
The name change comes after last year’s Plantronics acquisition of Polycom, a deal that was worth US $2 billion.
Bitdefender invests in A/NZ with new offices and regional director
Bitdefender has opened its Partner Advantage Network (PAN) programme with the aim of recruiting and supporting its over 500 local resellers.