Wouldn’t life be so much easier if you didn’t have to lock the front door of your business when you went home at night? You’d never have to worry about losing your keys. Or, maybe the property owner could hang onto your keys for you. You would then rely on the building manager to unlock the door for you every morning and to lock up again when you leave.
Obviously, both scenarios are ridiculous and no business would seriously consider either. Yet if that’s true, why do so many businesses allow their IT organizations to operate from day to day without bothering to “lock up” and secure their digital assets, whether they’re housed on premises, or in the cloud?
See also: Dyn DDoS attack sheds light on the growing IoT problem
Make no mistake; the first scenario is exactly what’s happening when IT fails to deploy encryption to protect important data. And when IT departments entrust a cloud service provider with the possession of their private encryption keys, rather than retaining their own exclusive control over them, it’s hardly different from the second, highly risky scenario.
The issue of inadequate encryption is one that’s well worth raising. A significant data breach could potentially be thousands of times more damaging than if thieves simply cleaned out the physical office. A breach on the scale of the one recently disclosed by Yahoo, in which as many as a billion customer records are believed to have been stolen, would be ruinous for most businesses.
Unfortunately, inadequate encryption is the status quo for many businesses. For example, a recent survey commissioned by HyTrust found that 28 percent of public cloud customers were not encrypting data. And that’s a shame, because too often, the decision not to encrypt is fueled by a couple of persistent myths.
Myth #1: Encryption is too cumbersome
In the early days of encryption, the technology remained out of reach of many organizations. Solutions like full-disk encryption were costly, hard to manage, and could introduce unacceptable performance penalties. Getting it right often meant bringing in cryptography experts – and there are only so many of them to go around.
Today, however, this is no longer the case. Modern encryption solutions are largely seamless and they don’t require experts to deploy and manage. What’s more, technology advancements in other areas – such as the encryption-acceleration instructions built into all modern Intel CPUs – mean there is virtually no impact on system performance.
Myth #2: Your cloud service provider’s encryption is enough
Most major cloud vendors offer one or more built-in data encryption services. Indeed, the HyTrust survey found that among cloud customers who do encrypt, 44 percent used these services. But not only are such services often limited in their functionality, they are also problematic for a couple of reasons.
First, they typically require you to share your private encryption key with the cloud provider – which brings us back to the second scenario we mentioned earlier. When you don’t retain full control of your keys, you can’t be sure that no one else has access to your data. Your keys could be stolen if your provider’s systems are compromised. Or suppose your provider receives a court order, requiring it to disclose your data to regulators or other authorities? If your cloud provider is in possession of both your encrypted data and the keys to decrypt that data, you have lost what little control you thought you had.
Second, cloud-provided encryption solutions tend to be proprietary and unique to each cloud vendor, which leads to cloud vendor lock-in. Once your data is encrypted, it becomes difficult to move or replicate it to another cloud vendor, without first decrypting and re-encrypting your data in the new location with the new cloud vendor’s keys – something that becomes increasingly burdensome as a multi-cloud strategy becomes the norm.
Keys to success
When you weigh these concerns, the use of a third-party encryption solution, with the ability to retain control over the keys regardless of data location, can become your new best-practice. Regardless of whether you keep your data on-premises in your own data center, or in the public cloud, or in both places via a hybrid cloud.
Modern third-party encryption solutions provide encryption that is easy to set up, offers high performance, and is easy to manage. But most importantly, using a third-party solution that runs on more than one hypervisor, and on more than one cloud platform, allows you to uncouple your keys from your hosting environment, making it possible to easily encrypt and then move your data from on-premises to the cloud, and from cloud to cloud.
The other options, of not encrypting your data at all, or of relinquishing control of both your data and your keys to each cloud vendor– should have been off the table long ago. With online threats on the rise, including attacks by state-sponsored actors, a business with unencrypted data, or inadequate control over the keys, is as ridiculous a scenario as leaving the door wide open.
