Without smart key management, forget about securing your cloud

This is a guest post by Jeff MacMillan, CEO and founder of Dark Matter Labs.

Despite offering tremendous benefits in convenience, elasticity, transparency, and economy, cloud computing faces a major stumbling block: security.

Because cloud computing is well established, many assume that all critical aspects of cloud security are already in place. With 54 percent of U.S.-based organizations using the cloud and more enterprises migrating their data to the cloud, it might be surprising to some that the management of the keys to access encrypted cloud-based data — an important part of cloud security — is hardly up to snuff.

Several cloud providers offer encryption capabilities, directly or indirectly, that can be applied to the cloud. However, today’s approach to key management comes with an inherent security risk, that of key ownership and storage. The Cloud Security Alliance (CSA) recommends a separation of “lock and key” in the cloud and various compliance regulations are likewise beginning to address this fundamental cloud security issue.

Cloud providers typically shy away from “owning” encryption keys because key ownership can create liabilities, expense, and conflicts with key management best practices. Enterprises want, and should have, ownership of keys to their own data.

Editor’s note: Our upcoming CloudBeat conference, Sept. 9-10 in San Francisco, will be tackling revolutionary cases of enterprise cloud usage. Register today!

Intelligent key management is imperative for the overall success of mission-critical data management in the cloud, but it’s a far cry from the cloud management scenario today. Currently, there are three typical cloud security scenarios. First, the key to unlock encrypted data is stored in the same cloud as the data. That’s like locking your house but leaving the key in the lock. In the second scenario, companies employ vendor solutions that host the key in an undisclosed location. While option two sounds safer, it’s like having to call a security guard to access your home and unlock the door (and trusting the security guard never goes in when you are away). Option three is securing the key on-site within the enterprise, an option which can be extremely costly when implementing the high level of security required. None of these solutions are convenient or ideal for today’s enterprises.

And just like in a neighborhood, different doors require separate keys. In the case of data stored in the cloud, multiple keys should be used to keep different types of data secure. But with the challenges of storing, rotating, and managing keys, massive quantities of business data often are encrypted with only a handful of encryption keys. That’s like using one or two keys to access every house in the neighborhood.

Encryption is just the first step

Encryption is powerful and should be used in every reasonable instance for storing data in the cloud. It is also easily implemented. Key management takes more effort, but it can be simplified.

Proprietary encryption tools for disparate cloud environments can make portability complex. For example, encrypting data on one cloud platform (cloud provider No. 1) and decrypting on another (cloud provider No. 2) is unlikely to succeed if each platform employs a different proprietary key management method. Without a third-party key management system, moving data from one cloud platform to another would require full decryption of all data, putting it at risk during the process.

Regular rotation of keys and management of multiple, disparate keys for an enterprise are also essential components for mitigating risk and remaining compliant. Key rotation requires the changing out of the private keys on prescribed timetables. Enterprises, particularly smaller ones, typically don’t have the expertise, time, or money to become experts on key management, rotation, and encryption.

Without independent, strongly secured, third-party key management that enables enterprises direct, auditable control of their keys, storing data in the cloud presents an ongoing security risk, preventing some industries from fully embracing the cloud. The solution is a key management system that can be transparent, portable, auditable, and agonistic. It should also be cost-effective and scalable, allowing enterprises to manage their keys for many platforms in one secure, centralized location.

Recent news about government snooping has further highlighted the importance of controlling access to corporate data — and the importance of key management will only continue to grow.

Are you secure in the cloud?

Organizations need to ask themselves difficult questions about how they are securing data — whether in the cloud or in the data center. These questions include:

• Do you know who “owns” your keys?
• Do security vendors or cloud providers have access to your keys?
• What methods do you use to secure keys from hackers (or even former employees)?
• Where are your keys stored? How often are they rotated?
• What is your company’s process for moving encrypted data from one cloud to another?
• Is your security data auditable?

Next month at CloudBeat 2013, I’ll be presenting about how organizations can approach these challenges and highlighting the method Dark Matter Labs and KeyNexus employ to address them. Hope to see you at the show!

Jeff MacMillan founded Dark Matter Labs, a data encryption company, in 2009 with the purpose of introducing innovation to a market that was behind the curve. Dark Matter Labs has emerged with an industry-leading line of encryption appliances that help businesses in all major industries achieve security and compliance.