Let’s say you’re about to walk out of the house and realize you’ve forgotten your keys. The first thing a family member will probably ask you is “Where did you last have them?” But at work, asking for the keys to a cloud — the keys that ensure data privacy — might get a different reaction. People are more likely to shrug and suggest the keys are just fine wherever they are.

Many enterprises these days are moving to the cloud or multiple clouds. Digital adoption is happening everywhere and affecting everything we do. The changes in our workforce also underscore that nothing will be the same as it was before 2020.

Migrating workloads or workload automation are some of the biggest challenges facing the entire connected world. The journey is fraught with risks, challenges and costs that only the best can foresee. However, for some, the laggard strategy may have paid off. According to a survey by IDG, many organizations that had shifted to the public cloud have reversed course by moving some workloads back on-premises due in part to how complex cloud management and data integration can be. So what makes for a good cloud migration that ensures data privacy and a smooth transition?

Guardium for cloud migration

Don’t Forget Cloud Data Privacy

The most overlooked item on any workload migration project plan is often key management and compliance across multiple cloud services. Augmenting a bring-your-own-key (BYOK) service should allow you to separate the location of data from that of the encryption keys. That encryption best practice helps boost data privacy.

Many data privacy regulations are infrastructure agnostic. That means they require the same processes and controls whether the data is on-premises, in the cloud, or both. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires dual control with respect to the separation of data and keys. It also requires separate duties in the form of role-based access to key management software. PCI DSS and many others require the use of the NIST-certified Advanced Encryption Standard and Federal Information Processing Standards (140-2).

Meeting and maintaining compliance with these can be made more difficult by the prevalent use of cloud services. Furthermore, regional laws that govern data sovereignty and privacy, including the European Union’s General Data Protection Regulation (GDPR), are more and more relevant to conducting business around the globe. They often require both access controls and custodianship of data and keys. To put it simply, you have to know where your cloud keys are.

What Does Good Cloud Data Security Look Like?

But what about defending the keys you manage in a multicloud transition? Some cloud service providers (CSPs) address at least a subset of cloud encryption issues with BYOK services to give customers more control over their keys. This helps emphasize the importance of key custodianship along with the best practices that the CSPs use and, in some cases, helped create. These services are useful if you’re working at a small scale and using one cloud provider at a time. However, if you have a multicloud setup, you’ll want to be able to centralize across cloud services and take advantage of other relevant tools.

This overall consumption of cloud services has created an acute concern around storing sensitive data in one or more public clouds due to its strategic value to a company. As such, 53% of the respondents to an ESG study indicated that more than 30% of their cloud-resident sensitive data is not secured well enough. In response, their organizations expect to invest more in cloud and data security solutions.

Who’s Job Is Cloud Data Privacy?

The core concept in answering that question is the shared responsibility model. It defines the boundary line of the division of labor between the CSP and the customer for securing and protecting the cloud service. For all types of cloud services, from infrastructure platforms to software-as-a-service, the model is transparent. It’s the customer’s job to secure data stored in a public cloud.

CSPs offer some native controls, including the tools to encrypt data, upload your own keys via a BYOK service and store those keys in either a multi-tenant environment or a dedicated hardware security module. However, it’s the customer’s job to both employ these services and manage the process. The use of multiple, discrete, native data encryption-related services makes management more complex. Meanwhile, customers in specific industries also need to store encryption keys on-premises to meet regulatory compliance requirements, which means they need to be efficient and flexible according to those requirements.

What Are the Next Steps?

If you’re in the market for cloud services, look for vendors that manage encryption keys correctly. They need to prove they can protect assets stored by critical cloud services. After all, those services represent the core of modern IT more and more often. The mix of visibility into key origination usage and life cycle management will help satisfy auditors when it comes to meeting and maintaining compliance. You’ll meet data privacy and other key needs more easily. And you’ll always know where you left your keys.

Centralize key management

More from Data Protection

Data never dies: The immortal battle of data privacy

4 min read - More than two hundred years ago, Benjamin Franklin said there is nothing certain but death and taxes. If Franklin were alive today, he would add one more certainty to his list: your digital profile. Between the data compiled and stored by employers, private businesses, government agencies and social media sites, the personal information of nearly every single individual is anywhere and everywhere. When someone dies, that data becomes the responsibility of the estate; but what happens to the privacy rights…

Vulnerability resolution enhanced by integrations

2 min read - Why speed is of the essence in today's cybersecurity landscape? How are you quickly achieving vulnerability resolution? Identifying vulnerabilities should be part of the daily process within an organization. It's an important piece of maintaining an organization’s security posture. However, the complicated nature of modern technologies — and the pace of change — often make vulnerability management a challenging task. In the past, many organizations had to support manual integration work to get different security systems to ‘talk’ to each…

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…

Cost of a data breach 2023: Pharmaceutical industry impacts

3 min read - Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023. The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of…