Your Encryption Keys, Your Kingdom

Do you know who has access to the encryption keys for your data? I suspect that far too few organizations have given this question little or no thought, or have left the decision to their vendors. Worse, many have probably assumed that someone else is taking care of encrypting their data with little concern beyond hoping it’s encrypted somewhere, by someone for their benefit. But the location of your keys, who has access to them and who has control of them is almost as important today as encrypting them in the first place.

If you’re using a cloud service to store any of your data, chances are you are not the one in control of your keys. Unless you’ve taken special measures to work with or choose a Software as a Service (SaaS) provider to have keys under your control and unique for your organization, in all likelihood, you don’t control your keys. They have the keys, it’s up to them to create them, store them and protect them. They may have unique keys for each client, or they may have a common key for the service. In either case, the keys are in their hands and you’re relying on them to secure the storage of the keys.

Many of the SaaS providers have taken this into account and have strong measures in place to protect the keys. Infrastructure and Platform aaS providers suffer from some of the same issues, but in many of those cases you have the option of providing additional encryption measures to encrypt data. But some organizations using these services put their own keys on top of the infrastructure provided, not realizing that they’re still relying on the provider to protect the underlying services and that the key might not be as secure in the cloud as it is in a dedicated physical infrastructure. One good product that’s come to light in the last few years is cloud-based Hardware Services Modules (HSM), something we should see more common usage of as time goes by.

Beyond the security consideration of letting someone else control your keys, you have to be worried about the legal considerations of who controls your keys. When you examine any product or service where the encryption key is controlled by the vendor, the keys to decrypt the data can be compelled by a court, at least in the U.S. and the UK, with more and more countries following suit. Even worse are the laws in Russia, which are so extreme that they’ve forced Google to pull engineering resources from the country. Overall, Internet freedoms are trending down and this goes as much for the corporations of the world as for the individual. Which means the location of your keys have become a legal concern as much as they are a security concern.

Finally, who controls the keys encrypting data are a point organizations have to give more consideration to as a selling point going forward. Apple and Google both realize that giving the consumer control over their keys to encrypt their phones is something users desire. It’s also something that takes them out of the equation for law enforcement, because if they don’t have the keys, there’s no way they can be compelled to disclose. True, law enforcement doesn’t like this move to make iPhones and Android devices more secure, but if it gives them a bigger market share, it will continue. On the flip side of this are products from organizations like Verizon Voice Cypher, which has a built in decryption process that allows easy access for law enforcement. It will be interesting to see if the effect each of these decisions will have on the market and if consumers desire encryption or not. More and more, where your keys are stored and who has access to them is becoming a central question that’s nearly as important as whether you’re going to encrypt or not. Overwhelmingly, we are coming to the conclusion that encrypting your data, both as a consumer and as a corporation, is an essential security step. But now we have to take that issue to the next logical step, reviewing where the keys to decrypt that data are being stored and who’s responsible for securing them. Like the decision to encrypt itself, the location of your keys is a fundamental issue that can have far reaching consequences.


Martin McKeay

Security Advocate

Martin McKeay is a Senior Security Advocate at Akamai, joining the company in 2011. As a member of Akamai's Security...