Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

What Does Customer Managed Encryption Keys Really Mean for Cloud Service Providers?

Home
Industry Insights
What Does Customer Managed Encryption Keys Really Mean for Cloud Service Providers?

Blog Article Published: 03/06/2015

By Todd Partridge, Director of Strategy, Intralinks

Have you ever leased a safety deposit box from your bank? For years the security and privacy of a safe deposit box has been the standard in the physical world. People have put their most important and their most valued information in bank vaults around the world with the confidence that it would remain secure and kept away from unsolicited parties. Safe deposit boxes provided the extremely high security measures and processes needed to protect these assets at scale.

In essence, the hundreds of customers a bank may have shared the cost of providing that ongoing security and privacy. Today’s SaaS industry is predicated on the same principles: that it is far more cost effective for customers to share the cost of computer power, infrastructure, and application maintenance. The question that often remains is whether or not SaaS providers are capable of providing the same level of confidence that banks have provided for safe deposit boxes.

On the consumer side of the SaaS market, users hear the stories of large enterprises losing priceless intellectual property and they listen to ‘experts’ saying that cryptography could have protected them. To the average user of a cloud service the question becomes, “why not just encrypt the data and be done with it?” Reality becomes even murkier when it is mixed with strong PR campaigns of companies looking to make a name for themselves as they capitalize on the misfortune of these companies that may not have taken the appropriate measures to protect their data in the cloud. In the cloud, customer data faces different threats when at rest, in transit, or in use.

There are important differences to each of these threats and their associated responses that bear further discussion. Here we’ll take on data at rest, but as a backdrop we must not forget that it is the intricate weave of all three that is important.

Data at Rest

Any service hosting customer data must provide assurances that it is protected while in their custody from external hackers, malicious insiders, and as we learned recently, governments. So, data must be encrypted at rest, which is relatively easy to implement. Many players, big and small, may declare that they give their customers full control of the encryption keys, also known as Customer Managed Keys (CMK). As companies begin to realize the importance of owning and managing the encryption keys used to protect their data in the cloud, the important question is – how is that control implemented?

There are several questions that today’s enterprises should consider when evaluating a cloud service provider’s claims of customer managed encryption keys:

  1. Can the customer login directly to the appliance that houses the keys and suspend the key without provider’s help or knowledge, if needed?
  2. Is there any provider software in the middle that can be compromised and leak the key?
  3. Keys need to be rotated. What happens to data at the time of key rotation?
  4. Does the customer need to wait for re-encryption of terabytes of data with the new key?

Arguably, if the chosen managed keys solution cannot provide these capabilities, it may fall short of many enterprise requirements for secure storage of that company’s most valuable information assets. Businesses need to pay attention to the details of the proposed solution just as you would pay attention to whether or not your bank has the right measures in place to protect those items you place in their safe deposit boxes.

Keeping Data Protected

It is obvious that data protection, especially in a SaaS model, is a complex task where science, engineering, and operations must be aligned perfectly to protect information assets from any number of threats. Just as banks provide a multi-layered security model to protect their customer’s value assets, cloud service providers need to give their customers analogous capabilities such as:

  1. A container suitable for the storage of a company’s most valuable information
  2. Customers’ ability to choose the geographic location of said container
  3. Secured channels of access to the data
  4. The ability to provide controls that allow no single entity to own or control access to the encryption keys
  5. The solution should be able to account for all copies of the data
  6. The solution should provide compliance reports and audit trails that document which users access, or attempt to access, the protected data, as well as when the action took place

In our next two articles in this series on information security in the cloud, we’ll explore the threats and security considerations of protecting data in transit and while in use.

Todd Partridge is the Director of Strategy at Intralinks. He has broad industry experience in the enterprise information management (EIM) space, with deep expertise in all trends and technologies related to information governance, enterprise content management, document management, web content management, business intelligence, team collaboration, e-mail management and enterprise records management practices.

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Enhance your cloud security skills with CSA's online training options.