February 28, 2017 By Rick Robinson 4 min read

Organizations are adopting encryption at a rapid and increasingly urgent pace. Why? Because encryption helps organizations support dynamic industry regulations while also protecting sensitive data that’s placed in the cloud.

The trend of adopting public cloud solutions continues to grow, but protecting critical data in the cloud is still a major concern. It’s critical to protect data against external breaches and unauthorized access by cloud service providers. Collectively, organizations are diligently working with consultants and suppliers to implement solutions to keep their data safe.

Deleting Sensitive Cloud-Based Data

In many specific instances, companies want to prevent their data from being accessible to cloud service providers (CSPs). However, organizations are now facing a new dilemma: What are they supposed to do when they want to permanently delete their data in the cloud?

Regulatory compliance and cloud data protection are two driving reasons for establishing encryption and encryption key management strategies. Furthermore, in the new world of cloud data security, the old concept of a “castle” has become ineffective; the concept of a curated “museum” is much more applicable to cloud data security. In this new world, organizations want to share data appropriately with many users and platforms without running the risk that it will be taken, changed, hijacked, destroyed or accessed by unauthorized users.

Read the White Paper: Guard your organization’s data with intelligent IBM encryption

To complicate matters, the value of data can change quickly. As we know, information such as quarterly financial data has high value prior to its disclosure, but the necessity to keep it private significantly declines once the announcement of financial performance is released to the market. However, other data, such as pharmaceutical trial data, HR information from divested organizations and historical notes on litigation proceedings, can quickly become a liability if it is unintentionally disclosed to the wrong party after the collective work on these efforts has been completed.

When you combine the need for privacy, the desire to collaborate using shared data and the trend of leveraging cloud applications and storage, you can see the need to not only protect cloud-based data, but also to manage it throughout its entire life cycle, from creation to destruction. Furthermore, in the case of cloud deployments, this process needs to be managed and controlled in an environment that is not physically under your control. This last requirement raises the following questions:

  • How can you control sensitive cloud-based data?
  • How can you control the life cycle of that data?
  • How can you manage your liability?

The Magic of Cryptographic Erasure

Encryption has historically been used to protect data against unauthorized use. However, encryption can effectively erase data as well. This is called cryptographic erasure.

The National Institute of Science and Technology (NIST) released “Special Publication 800-88, Revision 1: Guidelines for Media Sanitization,” which detailed how encryption is part of media and data sanitation.

“If strong cryptography is used,” the publication stated, “sanitization of the target data is reduced to sanitization of the encryption key(s) used to encrypt the target data.” In laymen’s terms, this means that if the data is encrypted and you destroy the keys, the data is erased.

Of course, there are some qualifiers to claiming sanitization by cryptographic erasure. First, you must ensure that you have encrypted the data from the moment it was originally stored. Next, verify that you have exclusive access to all data encryption keys and ensure that all keys are wrapped under one or more wrapping keys. Finally, delete the wrapping keys to render the data encryption keys and data itself unrecoverable. Fortunately, these steps are not difficult to follow if you have the right tools.

For example, if you have a petabyte of data that has been encrypted from the moment it was placed in the cloud and control over the wrapping keys that protect the data encryption keys, then when you delete the wrapping keys, you render data encryption keys — and the petabyte of data — useless. This happens regardless of where the data is stored or whether you can even access the storage environment. In other words, you can effectively erase a petabyte of data by deleting just a few kilobytes of keys. That’s cryptographic erasure, and it’s powerful.

Encryption Key and Life Cycle Management

Naturally, you may want to recover the petabytes of bits associated with your now-useless data. Why pay to store petabytes of random bits? However, that is secondary to the erasure of the data itself.

The logistics of implementing cryptographic erasure fundamentally requires the system that stores and encrypts the data to be separate from that of encryption key management. Leveraging key life cycle management software packages helps maintain separation of these duties and functions.

Keeping your encryption engine separate from the encryption keys, as well as keeping the keys well-managed, is not just a best practice, but also keeps you on the right side of regulations and helps protect your most precious assets — your encryption keys and encrypted data — from threat actors. Remember that storage is inexpensive, but data is becoming infinitely more valuable, both as an asset and a liability. Control your data, protect it and ensure that it has a clear life cycle that you control.

The future architecture of data protection is clearly modular. We need to:

  • Constantly monitor our data, its classification and its usage;
  • Protect our data, regardless of its location, through encryption;
  • Manage our encryption keys, because they protect larger quantities of data and enable us to sanitize data when the data life cycle is complete; and
  • Monitor our encryption keys to ensure that they are inventoried, accessed only by authorized processes and people and constantly evaluated for strength and applicability.

Following these practices ensures that your data, protected through encryption, will provide value through its lifetime and can be securely deleted when no longer valuable.

Protecting Data in a Multicloud Environment

To protect data in a multicloud environment, organizations should still focus on implementing centralized policy management as well as centralized key management.

Guardium for Multi-Cloud Data Encryption offers the ability to encrypt cloud data across multiple clouds. It also integrates with IBM Security Key Lifecycle Manager. This combination of local but highly redundant key management, and the ability to concurrently manage tens of thousands of encrypted file systems or volumes in multiple clouds, gives organization the tools they need to protect and manage the entire life cycle of data regardless of where it resides.

Download the White Paper: Guard your organization’s data with intelligent IBM encryption

More from Data Protection

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today