Encryption: your data is only as secure as the person that holds the key
We've all read the security horror stories – employees leaving laptops on trains, old hard drives containing customer details being bought on eBay, lost USB sticks. In fact the results from our annual Data Health Check shows that in 2013 human error was the greatest cause of data loss in UK organisations. The threat of data loss is constant and in order for organisations to protect themselves, encryption has become essential. But it isn't as simple as just encrypting your files and forgetting about them. After all, your encrypted data is only as secure as the person that holds the key.
The process of encryption key management has become as important as encryption itself. The creation, storage and deletion of keys should all be properly and securely managed - if you lose your key, you lose your data. This is why some organisations share the burden of responsibility with a cloud service provider (CSP), by choosing server-side encryption.
Server-side encryption simplifies your environment and puts the responsibility of key management in your providers' hands. There is of course the risk, however, that the provider decrypts and accesses your data. This method is a bit like locking your car but giving a stranger the keys. The relationship requires a lot of trust. Do your homework and make sure your CSP has appropriate certifications for data security, like ISO 27001 for example. If a provider is compliant to regulations such as these, it's usually a good indication that your data is in safe hands.
But even then, a discussion about how your data in transmitted to end-users is essential. How is the data encrypted when it's transferred? Is it as secure when it reaches the end-user's device as it is when server-side? These are all considerations that need to be taken.
Alternatively, organisations can choose client-side encryption. You are fully responsible for maintaining your own encryption key, which obviously incurs some overheads, but it significantly reduces the risk of unauthorised access to your data. An understanding of your compliance needs is crucial. PCI DSS, for example, necessitates split knowledge, meaning no one person can know the entire key, and also requires encrypted keys to be stored separately from the data.
Whether server or client side, an organisation needs to have defined encryption key management procedures in place. If you don't have a procedure in place you're already at risk. By implementing procedures you are at least working towards mitigating risk, but these processes need to have controls in place to ensure they're actually do the job they set out to. Without controls, organisations are simply ticking a compliance box that is potentially flawed.
Complex or fragmented management processes increase the chance of a security breach and ultimately increase the overall difficulty and cost of management. To protect the integrity of your data, work out who legitimately needs access and limit it to these authorised few. Once agreed, these processes should be well documented and clearly communicated to all parties involved. Confused and poorly documented key management guidelines can dramatically increase the complexity of monitoring and reporting.
Hesitance to put sensitive data in the cloud due to security risks is still the biggest concern for UK organisations. There's a lot of choice out there and, in reality, not everyone needs encryption. To put it into perspective, organisations need to ask themselves whether they'd be happy if someone read their post before it was delivered, or whether they'd want that letter tracked and posted securely so that only the person who is meant to read the letter actually does. Does all of your data need to be encrypted or is there only certain information that is classified and requires encryption?
With 64% of the companies we questioned in our survey currently operating at least one cloud-based service, it's obvious that managers are beginning to realise the potential efficiencies and cost benefits of cloud platforms. As long as the correct processes are in place, there is no reason your data should be at any more risk in a cloud environment than it would be in your own server room.