02/07/2015

By Ed Kidson, product manager, Wick Hill


The cloud is an attractive business proposition for many. But time and time again, companies express concerns about how secure their information is in the cloud. Issues arise such as data co-mingling, privileged user abuse, snapshots and backups, data deletion, data leakage and geographic regulatory requirements.

Security concerns also arise if you want to switch from one cloud provider to another. How can you be sure what is happening to back-ups and archives of VMs, data volumes and maybe databases that were hosted there? You don’t necessarily know where all those copies are held or how they are held. Even if you remain with the same provider, you can never be certain of your data’s location.

If you need to know that the data is secure, whatever the location, the best practise is now widely acknowledged to be encryption. This means that, should it be compromised, it is unreadable.

However, what is often neglected is that by encrypting data, we shift the security risk from the loss of data to the loss of cryptographic keys. The keys must be stored and managed securely. Failure to protect encryption keys is akin to locking your car and leaving the keys on the bonnet.

If your data is encrypted and protected, it is absolutely essential that you turn your attention to crypto management - the creation, management, security and storing of encryption keys. You may have encryption, but without crypto management, it’s not worth encrypting because your data could still be at risk through the loss or mismanagement of your crypto keys!

You need to know where and how the crypto keys are stored, and by whom? Should the service provider hold the keys? If so, how do they do that? Are they secured within a hardware security module or just sat on a server? Is there an audit trail for the life cycle of the keys? Do you have access to that? Should you manage your own keys?

With the proper use of both encryption AND crypto-management, organisations can now reap the benefits of virtual and cloud computing, with the confidence that they are still in control of their own security.