Marcella Arthur, Vice President Global Marketing, Unbound Security explores using smarter key management in the cloud
Cloud computing remains a dominant trend in global business, boosted by the mass shift to remote working during the pandemic. A report from Deloitte highlights how investment in cloud infrastructure increased through 2020 with the scale of mergers and acquisitions indicating significant expectations of further growth.
Yet as organisations migrate workloads to the cloud in search of greater agility and innovation and reduced costs, they are facing serious security challenges that conventional approaches fail to meet, particularly if they adopt hybrid approaches. By 2022, analysts IDC estimate more than 90 per cent of enterprises worldwide will be relying on a mix of on-premises/dedicated private clouds, multiple public clouds, and legacy platforms to meet their infrastructure needs. As companies become more distributed and more complex than ever through their entry into the hybrid cloud, they find themselves with massively extended security perimeters while constantly exchanging high volumes of data.
Combined with the imposition of stricter demands by regulators, these developments make control of encryption keys used to protect data more important than ever. For those with heavy investments in on-premise infrastructure, hardware security modules (HSMs), or apps partially in the cloud, the inability to secure and manage the cryptographic keys that protect their data across a multitude of scenarios has the potential to bring their organisations to an extremely costly standstill.
Whenever IT managers decide on a cloud shift that requires some existing hardware to remain intact, among the problems they face are the time-consuming task of maintaining multiple systems, implementing key management solutions, and the creation of multiple keys depending on the application supported and authentication path. Developers and solution architects take on the biggest migration risk, because the painstaking work that it took to develop an application once, may now have to be repeatedly refactored to ensure that keys work anywhere in the cloud, at any time.
For key management, organisations may feel they can rely on the solutions provided by the major cloud service providers (CSPs), who have made encryption simple to activate. Sadly, however, there is a basic security flaw in having the keys held by the same entity that holds the data. It is not just penetration by criminals we should worry about in this respect, it is the government warrants and subpoenas that may force CSPs to open up what they hold. Alongside this vulnerability is one of management. It becomes much harder to achieve consistency of data governance across an organisation’s entire and varied infrastructure – including on-premises hardware – when keys are managed by the cloud provider. The way CSPs’ solutions deliver a segmented picture of the key logs and usage reports makes it impossible for enterprises to manage their entire range of keys in one place with full visibility across all sites.
Time to market for new and existing applications suffers as they require keys to ensure the requisite security policies are met in each case. Security is potentially compromised when organisations are unable to manage keys across disparate sites because of dependencies on the applications they are looking to authenticate, each having been written to specific cloud requirements.
The way out of this tangle is to nail down security with a third-party solution that overrides the complexity of refactoring applications to ensure they work in each cloud environment. Enterprises need to write and manage their own keys on a separate, one-stop platform, using multiparty computation (MPC). MPC splits a secret key into two or more pieces and places them on different servers and devices. Because all the pieces are required to get any information about the key, but are never assembled, hackers have to breach all the servers and devices. Strong separation between these devices (different administrator credentials, environments, and so on), provides a very high level of key protection.
Adopting this approach gives enterprises using hybrid cloud or multi-cloud infrastructures the single-pane-of-glass visibility that is essential for security and surveillance, providing information about all keys and digital assets, how they are stored, who is using them and how they are programmed. The use of cloud crypto keys is no longer a leap of faith.
When organisations are moving into the cloud for greater innovation and efficiency, an MPC platform provides the most effective means of securing and managing encryption keys, being highly agile, adaptable, and easy to use without any compromise of safety.
Read the latest edition of PCR’s monthly magazine below: