Let’s say you’re about to walk out of the house and realize you’ve forgotten your keys. The first thing a family member will probably ask you is “Where did you last have them?” But at work, asking for the keys to a cloud — the keys that ensure data privacy — might get a different reaction. People are more likely to shrug and suggest the keys are just fine wherever they are.

Many enterprises these days are moving to the cloud or multiple clouds. Digital adoption is happening everywhere and affecting everything we do. The changes in our workforce also underscore that nothing will be the same as it was before 2020.

Migrating workloads or workload automation are some of the biggest challenges facing the entire connected world. The journey is fraught with risks, challenges and costs that only the best can foresee. However, for some, the laggard strategy may have paid off. According to a survey by IDG, many organizations that had shifted to the public cloud have reversed course by moving some workloads back on-premises due in part to how complex cloud management and data integration can be. So what makes for a good cloud migration that ensures data privacy and a smooth transition?

Guardium for cloud migration

Don’t Forget Cloud Data Privacy

The most overlooked item on any workload migration project plan is often key management and compliance across multiple cloud services. Augmenting a bring-your-own-key (BYOK) service should allow you to separate the location of data from that of the encryption keys. That encryption best practice helps boost data privacy.

Many data privacy regulations are infrastructure agnostic. That means they require the same processes and controls whether the data is on-premises, in the cloud, or both. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires dual control with respect to the separation of data and keys. It also requires separate duties in the form of role-based access to key management software. PCI DSS and many others require the use of the NIST-certified Advanced Encryption Standard and Federal Information Processing Standards (140-2).

Meeting and maintaining compliance with these can be made more difficult by the prevalent use of cloud services. Furthermore, regional laws that govern data sovereignty and privacy, including the European Union’s General Data Protection Regulation (GDPR), are more and more relevant to conducting business around the globe. They often require both access controls and custodianship of data and keys. To put it simply, you have to know where your cloud keys are.

What Does Good Cloud Data Security Look Like?

But what about defending the keys you manage in a multicloud transition? Some cloud service providers (CSPs) address at least a subset of cloud encryption issues with BYOK services to give customers more control over their keys. This helps emphasize the importance of key custodianship along with the best practices that the CSPs use and, in some cases, helped create. These services are useful if you’re working at a small scale and using one cloud provider at a time. However, if you have a multicloud setup, you’ll want to be able to centralize across cloud services and take advantage of other relevant tools.

This overall consumption of cloud services has created an acute concern around storing sensitive data in one or more public clouds due to its strategic value to a company. As such, 53% of the respondents to an ESG study indicated that more than 30% of their cloud-resident sensitive data is not secured well enough. In response, their organizations expect to invest more in cloud and data security solutions.

Who’s Job Is Cloud Data Privacy?

The core concept in answering that question is the shared responsibility model. It defines the boundary line of the division of labor between the CSP and the customer for securing and protecting the cloud service. For all types of cloud services, from infrastructure platforms to software-as-a-service, the model is transparent. It’s the customer’s job to secure data stored in a public cloud.

CSPs offer some native controls, including the tools to encrypt data, upload your own keys via a BYOK service and store those keys in either a multi-tenant environment or a dedicated hardware security module. However, it’s the customer’s job to both employ these services and manage the process. The use of multiple, discrete, native data encryption-related services makes management more complex. Meanwhile, customers in specific industries also need to store encryption keys on-premises to meet regulatory compliance requirements, which means they need to be efficient and flexible according to those requirements.

What Are the Next Steps?

If you’re in the market for cloud services, look for vendors that manage encryption keys correctly. They need to prove they can protect assets stored by critical cloud services. After all, those services represent the core of modern IT more and more often. The mix of visibility into key origination usage and life cycle management will help satisfy auditors when it comes to meeting and maintaining compliance. You’ll meet data privacy and other key needs more easily. And you’ll always know where you left your keys.

Centralize key management

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…