Let’s say you’re about to walk out of the house and realize you’ve forgotten your keys. The first thing a family member will probably ask you is “Where did you last have them?” But at work, asking for the keys to a cloud — the keys that ensure data privacy — might get a different reaction. People are more likely to shrug and suggest the keys are just fine wherever they are.

Many enterprises these days are moving to the cloud or multiple clouds. Digital adoption is happening everywhere and affecting everything we do. The changes in our workforce also underscore that nothing will be the same as it was before 2020.

Migrating workloads or workload automation are some of the biggest challenges facing the entire connected world. The journey is fraught with risks, challenges and costs that only the best can foresee. However, for some, the laggard strategy may have paid off. According to a survey by IDG, many organizations that had shifted to the public cloud have reversed course by moving some workloads back on-premises due in part to how complex cloud management and data integration can be. So what makes for a good cloud migration that ensures data privacy and a smooth transition?

Guardium for cloud migration

Don’t Forget Cloud Data Privacy

The most overlooked item on any workload migration project plan is often key management and compliance across multiple cloud services. Augmenting a bring-your-own-key (BYOK) service should allow you to separate the location of data from that of the encryption keys. That encryption best practice helps boost data privacy.

Many data privacy regulations are infrastructure agnostic. That means they require the same processes and controls whether the data is on-premises, in the cloud, or both. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires dual control with respect to the separation of data and keys. It also requires separate duties in the form of role-based access to key management software. PCI DSS and many others require the use of the NIST-certified Advanced Encryption Standard and Federal Information Processing Standards (140-2).

Meeting and maintaining compliance with these can be made more difficult by the prevalent use of cloud services. Furthermore, regional laws that govern data sovereignty and privacy, including the European Union’s General Data Protection Regulation (GDPR), are more and more relevant to conducting business around the globe. They often require both access controls and custodianship of data and keys. To put it simply, you have to know where your cloud keys are.

What Does Good Cloud Data Security Look Like?

But what about defending the keys you manage in a multicloud transition? Some cloud service providers (CSPs) address at least a subset of cloud encryption issues with BYOK services to give customers more control over their keys. This helps emphasize the importance of key custodianship along with the best practices that the CSPs use and, in some cases, helped create. These services are useful if you’re working at a small scale and using one cloud provider at a time. However, if you have a multicloud setup, you’ll want to be able to centralize across cloud services and take advantage of other relevant tools.

This overall consumption of cloud services has created an acute concern around storing sensitive data in one or more public clouds due to its strategic value to a company. As such, 53% of the respondents to an ESG study indicated that more than 30% of their cloud-resident sensitive data is not secured well enough. In response, their organizations expect to invest more in cloud and data security solutions.

Who’s Job Is Cloud Data Privacy?

The core concept in answering that question is the shared responsibility model. It defines the boundary line of the division of labor between the CSP and the customer for securing and protecting the cloud service. For all types of cloud services, from infrastructure platforms to software-as-a-service, the model is transparent. It’s the customer’s job to secure data stored in a public cloud.

CSPs offer some native controls, including the tools to encrypt data, upload your own keys via a BYOK service and store those keys in either a multi-tenant environment or a dedicated hardware security module. However, it’s the customer’s job to both employ these services and manage the process. The use of multiple, discrete, native data encryption-related services makes management more complex. Meanwhile, customers in specific industries also need to store encryption keys on-premises to meet regulatory compliance requirements, which means they need to be efficient and flexible according to those requirements.

What Are the Next Steps?

If you’re in the market for cloud services, look for vendors that manage encryption keys correctly. They need to prove they can protect assets stored by critical cloud services. After all, those services represent the core of modern IT more and more often. The mix of visibility into key origination usage and life cycle management will help satisfy auditors when it comes to meeting and maintaining compliance. You’ll meet data privacy and other key needs more easily. And you’ll always know where you left your keys.

Centralize key management

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today