Best Practices for Simplifying Data Security & Encryption Key Management
By Jared Hrabak, Cybersecurity Engineer, cStor
Everyone knows that data is the lifeblood of every business, so protecting it on-premise, in the cloud and everywhere in between has never been more mission-critical.
According to the World Economic Forum, it’s estimated that the world has produced 44 zettabytes of data (as of 2020), and by 2025, there will be 175 zettabytes in the global ‘datasphere.’ Just to get your head around that figure… a zettabyte is 1,000 bytes to the seventh power: that’s 175 with 21 zeros after it. It’s also roughly equivalent to the amount of data in 125 TRILLION feature-length movies! 😮
That’s a lot of data to protect… everywhere. So, let’s start by covering a few common challenges IT departments are facing and a world scenario we see relatively often. Let’s call them B2B Software Co., a mid-size business with $500M+ in revenue. They have data on-prem and in the cloud, and recently moved several more client- and support-facing systems to AWS in an effort to drive additional operational efficiencies and improve customer response time. Their team realized AWS has a native cloud key encryption system, and they would only have to rotate it once a year.
Sounds easy, right? Guess again. In this situation, you’re locked into the AWS key encryption, and if the company decides they need to move systems from AWS for whatever reason in the future, AWS continues to keep the keys. Worse still, if your data is involved in a breach, you’re stuck pointing to AWS for answers, then AWS will clearly point back at you.
Your data is 100% your responsibility.
To Control or Not to Control. That’s the Question.
You might think, well AWS is a safe bet, but how much control do you want to have over your own data and encryption keys?
That’s just one location for their data, while in fact, there are likely 40-50 locations. That means disparate data everywhere. Some at rest, some in transit, some requiring high-speed encryption, and some with no encryption. That’s a lot of data and key management to deal with… so, is outsourcing to third-party vendors really the best strategy?
The reality is that data migration to third-party hosted environments and using multiple cloud service providers is creating new attack surfaces for cybercriminals to exploit. In essence, where there is complexity, there are potential ‘chinks in the security armor.’ This is just one of the many reasons data breaches continue to threaten the global IT landscape at an increasing rate. Fortunately, there’s something you can actually do about it.
Stop the Security Silos. Consider Centralized Key Management.
While encryption solutions were a giant leap forward in data security, they created a mountain of complexity for IT teams. Almost every offline data storage device, and the majority of database management systems, include the option of native encryption capabilities. The problem becomes worse when you realize the various key management systems included with each are not interoperable, so the silos continue.
Centralizing key management can be a game-changer, allowing IT teams to securely store and backup/restore keys, create consistent access control policies, audit all key management operations, and effectively separate encryption tasks from key management tasks.
There are a few essential elements to this approach:
- Secured key storage
- Centralized key lifecycle management
- Enhanced scalability and flexibility
- Guaranteed availability
- Interoperability with third-party systems
- Facilitated governance and reporting (e.g. GDPR, PCI DSS, GLBA, etc.)
Key Takeaways
Centralizing key management can add tremendous efficiencies to your day-to-day security process in surprising ways. Be sure the solutions you consider include a proven key management system, access control, audit reporting and rest APIs. This kind of simplified management should give you a unified console that facilitates easy discovery and classification of data, and effectively protects your data no matter where it resides or travels.
Your solution should also incorporate a cloud-friendly deployment option that can run as a native virtual machine on industry-common cloud providers and virtualization platforms including AWS, Microsoft Azure, Google Cloud, VMware, Microsoft Hyper-V and more. Finally, be sure to evaluate if the key management system has flexible form factors. In other words, is it available in both virtual and physical form factors?
If you need guidance on your data security and key management strategies, don’t hesitate to drop me a line, I’d love to connect to see how we can help.