Let’s say you’re about to walk out of the house and realize you’ve forgotten your keys. The first thing a family member will probably ask you is “Where did you last have them?” But at work, asking for the keys to a cloud — the keys that ensure data privacy — might get a different reaction. People are more likely to shrug and suggest the keys are just fine wherever they are.

Many enterprises these days are moving to the cloud or multiple clouds. Digital adoption is happening everywhere and affecting everything we do. The changes in our workforce also underscore that nothing will be the same as it was before 2020.

Migrating workloads or workload automation are some of the biggest challenges facing the entire connected world. The journey is fraught with risks, challenges and costs that only the best can foresee. However, for some, the laggard strategy may have paid off. According to a survey by IDG, many organizations that had shifted to the public cloud have reversed course by moving some workloads back on-premises due in part to how complex cloud management and data integration can be. So what makes for a good cloud migration that ensures data privacy and a smooth transition?

Don’t Forget Cloud Data Privacy

The most overlooked item on any workload migration project plan is often key management and compliance across multiple cloud services. Augmenting a bring-your-own-key (BYOK) service should allow you to separate the location of data from that of the encryption keys. That encryption best practice helps boost data privacy.

Many data privacy regulations are infrastructure agnostic. That means they require the same processes and controls whether the data is on-premises, in the cloud, or both. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires dual control with respect to the separation of data and keys. It also requires separate duties in the form of role-based access to key management software. PCI DSS and many others require the use of the NIST-certified Advanced Encryption Standard and Federal Information Processing Standards (140-2).

Meeting and maintaining compliance with these can be made more difficult by the prevalent use of cloud services. Furthermore, regional laws that govern data sovereignty and privacy, including the European Union’s General Data Protection Regulation (GDPR), are more and more relevant to conducting business around the globe. They often require both access controls and custodianship of data and keys. To put it simply, you have to know where your cloud keys are.

What Does Good Cloud Data Security Look Like?

But what about defending the keys you manage in a multicloud transition? Some cloud service providers (CSPs) address at least a subset of cloud encryption issues with BYOK services to give customers more control over their keys. This helps emphasize the importance of key custodianship along with the best practices that the CSPs use and, in some cases, helped create. These services are useful if you’re working at a small scale and using one cloud provider at a time. However, if you have a multicloud setup, you’ll want to be able to centralize across cloud services and take advantage of other relevant tools.

This overall consumption of cloud services has created an acute concern around storing sensitive data in one or more public clouds due to its strategic value to a company. As such, 53% of the respondents to an ESG study indicated that more than 30% of their cloud-resident sensitive data is not secured well enough. In response, their organizations expect to invest more in cloud and data security solutions.

Who’s Job Is Cloud Data Privacy?

The core concept in answering that question is the shared responsibility model. It defines the boundary line of the division of labor between the CSP and the customer for securing and protecting the cloud service. For all types of cloud services, from infrastructure platforms to software-as-a-service, the model is transparent. It’s the customer’s job to secure data stored in a public cloud.

CSPs offer some native controls, including the tools to encrypt data, upload your own keys via a BYOK service and store those keys in either a multi-tenant environment or a dedicated hardware security module. However, it’s the customer’s job to both employ these services and manage the process. The use of multiple, discrete, native data encryption-related services makes management more complex. Meanwhile, customers in specific industries also need to store encryption keys on-premises to meet regulatory compliance requirements, which means they need to be efficient and flexible according to those requirements.

What Are the Next Steps?

If you’re in the market for cloud services, look for vendors that manage encryption keys correctly. They need to prove they can protect assets stored by critical cloud services. After all, those services represent the core of modern IT more and more often. The mix of visibility into key origination usage and life cycle management will help satisfy auditors when it comes to meeting and maintaining compliance. You’ll meet data privacy and other key needs more easily. And you’ll always know where you left your keys.