Do you know who has access to the encryption keys for your data? I suspect that far too few organizations have given this question little or no thought, or have left the decision to their vendors. Worse, many have probably assumed that someone else is taking care of encrypting their data with little concern beyond hoping it’s encrypted somewhere, by someone for their benefit. But the location of your keys, who has access to them and who has control of them is almost as important today as encrypting them in the first place.

If you’re using a cloud service to store any of your data, chances are you are not the one in control of your keys. Unless you’ve taken special measures to work with or choose a Software as a Service (SaaS) provider to have keys under your control and unique for your organization, in all likelihood, you don’t control your keys. They have the keys, it’s up to them to create them, store them and protect them. They may have unique keys for each client, or they may have a common key for the service. In either case, the keys are in their hands and you’re relying on them to secure the storage of the keys.

Many of the SaaS providers have taken this into account and have strong measures in place to protect the keys. Infrastructure and Platform aaS providers suffer from some of the same issues, but in many of those cases you have the option of providing additional encryption measures to encrypt data. But some organizations using these services put their own keys on top of the infrastructure provided, not realizing that they’re still relying on the provider to protect the underlying services and that the key might not be as secure in the cloud as it is in a dedicated physical infrastructure. One good product that’s come to light in the last few years is cloud-based Hardware Services Modules (HSM), something we should see more common usage of as time goes by.

Beyond the security consideration of letting someone else control your keys, you have to be worried about the legal considerations of who controls your keys. When you examine any product or service where the encryption key is controlled by the vendor, the keys to decrypt the data can be compelled by a court, at least in the U.S. and the UK, with more and more countries following suit. Even worse are the laws in Russia, which are so extreme that they’ve forced Google to pull engineering resources from the country. Overall, Internet freedoms are trending down and this goes as much for the corporations of the world as for the individual. Which means the location of your keys have become a legal concern as much as they are a security concern.

Finally, who controls the keys encrypting data are a point organizations have to give more consideration to as a selling point going forward. Apple and Google both realize that giving the consumer control over their keys to encrypt their phones is something users desire. It’s also something that takes them out of the equation for law enforcement, because if they don’t have the keys, there’s no way they can be compelled to disclose. True, law enforcement doesn’t like this move to make iPhones and Android devices more secure, but if it gives them a bigger market share, it will continue. On the flip side of this are products from organizations like Verizon Voice Cypher, which has a built in decryption process that allows easy access for law enforcement. It will be interesting to see if the effect each of these decisions will have on the market and if consumers desire encryption or not. More and more, where your keys are stored and who has access to them is becoming a central question that’s nearly as important as whether you’re going to encrypt or not. Overwhelmingly, we are coming to the conclusion that encrypting your data, both as a consumer and as a corporation, is an essential security step. But now we have to take that issue to the next logical step, reviewing where the keys to decrypt that data are being stored and who’s responsible for securing them. Like the decision to encrypt itself, the location of your keys is a fundamental issue that can have far reaching consequences.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today