Data security is rarely the first consideration when choosing a public cloud service provider. That’s changing, though, because of the rise of tougher rules, regulations, and standards aimed at protecting consumer privacy. Without data security, there can be no privacy.
Laws such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are making chief information security officers pay closer attention to what data security means in the cloud. To comply with the laws, CISOs also need to understand what must be done to more effectively protect and govern data in a complex, geographically diverse, and hybrid IT ecosystem.
In a recent report, Micro Focus data security products executive Sid Dutta described the offerings of the “big three” public cloud service providers (CSPs)—Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS)—serving up a framework with strategic selection criteria, and outlined what enterprises should be aware of before cutting a deal with any CSP.
Here are six key takeaways from the report.
By: John P. Mello Jr. | TechBeacon.
1. CSP key management and encryption services have limitations
These so-called HSM services have typically been added as a layer on top of the CSPs’ existing stacks—an afterthought due to late recognition of their customers’ increasing data security concerns, the report said.
In addition, the encryption model used by the major CSPs won’t meet the scaling requirements of many enterprises. Amazon, Google, and Microsoft “create a unique key for every data element,” Dutta explained in an interview. “So if you’re processing 10 million records, every data element in each record will require a unique key.”
That doesn’t scale when you’re doing a large volume of encryption, he said. “You’re going to have problems with availability, latency, and bandwidth.”
“If I don’t have the ability to perform bulk encryption that doesn’t rely on the network and the availability of that system, that, for me as a customer, is a no-go. I can’t make my endpoint 100% available because I don’t control the network that connects my client application and my encryption system.”
Mark Nunnikhoven, vice president for cloud research at the security company Trend Micro, said the big three “offer a reasonable set of services around key management.” And with any cloud service, these are evolving rapidly.
However, the bigger question that comes from the Micro Focus report, and which is central to your overall data protection strategy, persists: Is it safe for the CSP to own the keys?
2. Organizations cannot control encryption keys
Organizations concerned about a CSP controlling the encryption keys to their data are told they can “bring their own keys” (BYOK). That’s misleading, the report contends. Even if a customer provides key material, it explained, the CSP still either owns or manages the master keys, which can be subject to subpoena or some other form of disclosure or abuse.
BYOK as a practice in the industry “has created a false perception that customer ownership and control of keys is established” when the fact is that, even if a customer generates and imports the keys into a CSP key-management system or cloud HSM, “it is the CSP that has direct or indirect control of the keys,” the report said.
“There is no hard isolation when it comes to cloud infrastructure.”
Ameesh Divatia, CEO of the data protection company Baffle, said BYOK had limitations for enterprises.
“It’s not completely foolproof, but it’s a step forward because the keys aren’t accessible to the cloud service provider.”