The Adoption of Multi-Cloud Drives the Need for Better Data Protection and Management of Encryption Keys and Policy Controls
Published 09/17/2021
This blog was originally published by Entrust here.
Written by Jim DeLorenzo, Entrust.
Enterprise adoption of multiple cloud platforms continues in earnest, whether it’s aimed at improving collaboration, reducing datacenter footprint, increasing customer response times or any number of other business goals. As organizations advance their multi-cloud strategies, they are tasked with applying consistent security configurations across workloads and applications. They must also implement data protection that addresses today’s threat vectors and aligns with stringent compliance and audit requirements.
Encrypting cloud data is essential to protecting sensitive information and workloads – but it needs to be done correctly in order to be effective and meet compliance mandates. A recent report from Forrester, Best Practices: Cloud Data Encryption, articulates a number of important recommendations related to cloud data encryption, notably:
- Use hardware security modules (HSMs) to store encryption keys separately from cloud workloads
- Use a centralized HSM infrastructure to manage the encryption keys used across cloud environments
- Rotate your keys regularly to ensure alignment with compliance requirements and auditor expectations
These security measures are critical to protecting your cloud data and workloads, and it’s vital to get them right from the outset.
Ready to dig deeper?
Another go-to resource for anybody responsible for – or merely interested in gaining a more comprehensive understanding of – cloud data security is the Cloud Security Alliance Cloud Controls Matrix (CSA CCM). This invaluable asset includes more than 20 controls specific to encryption and key management, and is widely referenced across the security industry.
Multi-cloud computing is here to stay – and so are the complexities associated with protecting your data and workloads.
Administrative challenges of managing cloud environments
While cloud service providers continue to enhance their built-in security capabilities, the teams tasked with managing cloud environments face a constant battle to fine-tune their configurations and permissions. As exemplified by numerous data breaches over the past few years, misconfigured cloud storage settings are a common, yet often unidentified, trouble spot.
Each cloud platform is unique and, even if you manage to get a handle on who has access to which data and workloads, keeping up with providers’ updates and new controls requires constant vigilance. And as the shortage of skilled security professional persists – including those with expertise working across multiple cloud platforms – these challenges aren’t going away.
Demonstrating compliance
Identifying and implementing the right security controls is one challenge, while demonstrating compliance with data privacy regulations and industry mandates is another. Security teams cite specific concerns about being able to verify controls and how to report compliance in an auditor-approved format.
As compliance and audit requirements continue to get more stringent, nearly every enterprise is now subject to at least one mandate that calls for the use of data encryption. And as the Forrester report discusses, data encryption is a must-have for cloud workloads. This necessary security measure comes with its own administrative upkeep that can be difficult to handle without the right tools in place.
Cloud data encryption: getting it right
Workloads go through many lifecycles, from staging to deployment, to backup, and eventually have to be securely decommissioned. Each stage poses different risks of potential data theft or other misuse. Managing workload encryption from each cloud’s management platform is complex and further increases the risk of inconsistent policies and mistakes.
Additionally, an encryption strategy that aligns with compliance mandates requires robust key management. Unfortunately, key management is not universal across cloud platforms so the security team must contend with key storage, distribution, rotation, and revocation in multiple environments.
What’s more, when encryption keys are not completely separated from the workloads and data they protect, the potential exists for a security incident that compromises both, leaving data exposed to a breach. Best practices call for the use of certified HSMs to protect your encryption keys.
Remain vigilant
Multi-cloud deployments are here to stay, requiring IT and security teams to remain vigilant as they endeavor to understand and react to the ever shifting threat landscape. Following the guidance offered by knowledgeable professionals like the CSA and Forrester provides a solid foundation for an effective cloud security strategy.
Related Articles:
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024