Good afternoon and welcome to this KuppingerCole webinar with Thales security this afternoon. I'm Mike Small, and I'm a senior analyst with KuppingerCole and I'll be talking with Paul Hampton, who is a product manager with Thales security. And so the, the subject today is securing your data or data protection in the cloud. And this is a very important enough design subject at the moment, which is it's surprising that over 10 years we've had cloud services. And in the beginning, people were told that these were going to completely replace the existing on premises services. And there is no doubt that a lot of organizations are using particularly software is service for things like CRM for office productivity. However, the workloads that we're on on premises mainly remain on premises and only something like 20% have been moved. And the reason that he's given for this is because of concerns over compliance and security. So the question is what, what is holding things back and what do we need to do about it? So I think I'll start off by asking Paul what what's different between securing data on premises and securing data in the cloud.
Hello, Mike, it's good to talk to you again. So from my perspective, the, the big difference with securing data within the cloud is that you can't implicitly rely on the, the fact that your information cannot be accessed by another party. It is not within your data center. It is no longer within your own personal it infrastructure. And it is moving to a, essentially a shared infrastructure. And so that means for organizations who typically relied on the fact that they have private data centers, they have their own private computing infrastructure. They cannot rely on just that I suppose. So you cycle for protection of their data. They now need to accept that they're running essentially on somebody else's computer. And that means that they need to be applying other controls beyond it's on a computer behind a locked door to their data. And really that needs to start with knowledge of what exactly the data is.
And what does it do? Where does it reside? And for many organizations, certainly organizations, we talked to a lot of the time that is very much the first, but also the most difficult challenge. It's not necessarily securing the data. It's first identifying the data that you have assigning a sensitivity to it, and then picking what are appropriate controls for that data. And so when we look at cloud infrastructures, the cloud providers will give a variety of different security levels that you might choose to employ knowing what is right for you and what is right for your data is really key. And then as you've moved beyond that, you talked about those workloads that are still stubbornly on premise. Let's say we have a whole series of challenges in terms of applying appropriate controls without data, and often trying to work out suitable separation of duties, such that the data holder like case studies, the cloud provider is not given full control of the data that they may hold the data, but not potentially the keys to unlock that data. Ultimately though, the organization responsible for the data stays the same. It doesn't matter whether it's running on premise or within a cloud infrastructure. It is the organization that data belongs to are ultimately responsible for it security. And so whilst quite a few things change and we can no longer rely on just pure privacy or lack of perimeter access as a data control methodology, many things stay the same, including who owns that data.
Yeah, I think that's an important point because there is a lot of confusion because of this shared responsibility model with the, with the cloud services. And many people kind of get the mistaken belief that if you put your workload in your data in the cloud, that somehow rather the cloud provider is now going to take total responsibility for saying yes, indeed there is a complicated delivery stack and the sharing of responsibility depends upon the kind of service. So for example, with infrastructure as a service, the provider is only really responsible for everything up to the hypervisor and with a software as a service, it's everything up to the application level. But the key thing across all of these different things is the responsibility for the data. Just like you highlighted that the customer always is responsible and they will be the ones that get hit by the regulators and so forth. So is there a difference, is there a difference between securing your own data and making sure that the cloud service provider issue securing things? So for example, they say things like, well, we will encrypt your data. So what, what, what, what would you say to that?
So I think where cloud providers give a significant advantage and benefit to organizations, particularly maybe smaller, medium sized organizations, is they give you, let's say out of the box controls, encryption options. For example, as you mentioned that you can very easily turn on. Now that in and of itself is of course great. Some encryption is better than non however, ultimately the cloud provider in many scenarios also holds the encryption keys and there's then holding the data on the keys. And all you're really doing with encryption is transferring risk from the data to the key. And he who holds the key controls the data. And so the cloud provider, I think in many cases will ease that transition from, I'm not necessarily using encryption to protect my data to now I'm using encryption, but where things then become extremely complicated. I think, as an industry, generally, I don't think we're doing a particularly great job is control and management of the encryption keys. And really all we've done is parcel the data up and transfer the risk to the encryption key. Yes,
It's certainly true that when you, when you look at data protection, it's rather like a spaghetti dish that when you squeeze it in one direction, what happens is the problem pops out somewhere else. And so you look at a symmetric cryptography where the problem is managing the keys and when you go to public key, cryptography becomes having a trust in the, the, the certificate and the ownership of the private key. So I think ultimately though we have to look at risk. And I think that was one of the key words that you mentioned that organizations need to understand what the risks are and those risks that apply to them and to take control in, in relation to those risks and to use the right things. So for example, encryption is only one of the possible controls and it only protects against certain kinds of, of, of risks. And the access control is another one. And I don't know, what, what would you say to organizations about looking at risk and what risks and controls aren't good for what circumstances?
So for me, that always starts with the data and classifying the data because not all data requires the same degree of protection and to try and protect all data to the absolute, highest standard almost becomes a self-defeating task for many organizations. And so for me, you need to very much go through a strong and stringent data classification process to identify what is information that needs, let's say very basic protection and maybe just access controls. As you mentioned around that through to what is the information that is absolutely vital to the survival of our organization and the ongoing protection of both organization and customer and getting that classification correct, is really a significant hurdle, an early challenge. Once you've done that, then you can look at what are the appropriate controls that I should apply for each individual data category. And so for me, it's, it's that those series of steps along the way that really the key to solving what is otherwise quite a thorny problem.
Yes, it's also true that in order to classify the data, you have to know that you have it. And one of the big challenges about today's world, and indeed this has been made much worse by our good friend COVID is working from home is the enormous amount of data that is generated by the office workers, by the road warriors and by the youth solve office productivity tools, email, and so forth. So what do you say about all of this kind of data, all that tools that can help to find and classify that data and how effective are they? So
Yes, there are absolutely a data discovery tools that look to automate the, the burden of finding that data. Some of the tools are really good, indeed. However, like all tools, some of the, I suppose, nuance is down to the operators. So you mentioned road warriors, and those of us who are, I suppose, no, no working from home with no end in sight, that data is not necessarily easily accessible to an organization. And as we know, there's many ways of sharing and communicating data in different cloud services devoted to that. And so for an organization to try and control a very distributed workforce and make sure that all data is within their oversight is extremely difficult. Indeed. So whilst yes, there's great data discovering classification tools available, and they really are. I think something you'd absolutely use to do this being certain you've captured. Every last piece of data is very much a challenge and something that is a difficult thing to get. Right. Indeed.
And in addition to the, the, the data that you might know your house, there is this data that is perhaps being used in unexpected ways. And one of the, there are two things that I always think of long is journals and blogs. That there's an awful amount of data that sort of sets around applications journalizing transactions. And the other is data that is used for development purposes. And do you have any advice over those kinds of data?
So, yeah, so yeah, so we've got data and I suppose almost metadata as well, data about the data and logs and journals are one example of that. I'd say so again, the, these things can be produced in huge volumes, which can be its own challenge. And indeed may well be produced in greater volumes. If you use a cloud service than potentially where with the on-premise equivalent applications that you were running before, they're also potentially a whole lot more accessible within the cloud service for good and bad. So protection of that data. And then you mentioned development data as well. That is certainly a challenge, particularly where you've got a development teams who may no be remote when previously they'd have been on site who were working on particularly sensitive items, you know, high security source code, et cetera, and providing a remote development environment that meets all of the, I suppose, security controls and Indy compliance controls that might be required is a new and fresh challenge that I know a lot of our customers are working through at the moment. How do I have my most sensitive source code and development activities happen remotely? And whilst the, I suppose, whilst cloud services can help to an extent and certainly provide you with a rich suite of tools for remote usage, a lot of the classic it security problems remain. And all of the things that especially like ISO 27,001 will tell us about how to go about securing data still very much hold true, but with a completely fresh set of challenges without the, the physical security barriers that we've often relied on maybe too heavily previously. Yes,
Well, so standard like ISO 27,000 and warm and so forth are extremely important, but they also leave an enormous amount of discretion to the, the supplier of the standard. So for example, earlier on, you talked about the need to secure keys. So there are different ways that people secure keys that was a public key infrastructure where you effectively have a two different Ks and you also have things like hardware security module. So what is your advice and what, what do you say to people about how best to deal with secure and keys?
So as, as referenced earlier, that the key, once you use encryption, the key is equivalent to the data that whoever controls the key essentially controls the data. And so the controls you put around that key have to be commensurate with the controls that you'd put on the data itself. Now you referenced certainly PKI and indeed the there's a lot of really good crypto systems around for distributing and sharing keys. Ultimately though all of them come back to a, a root of trust in some shape or form B that the private key in a Pico infrastructure, or indeed a master key in, let's say some sort of symmetric derivation scheme. Ultimately there's a, a single key. If that key is truly precious to your organization, because the data it protects is precious, then we talus my employment. Did myself would advocate that that key should be stored extremely strongly and protected extremely strongly.
And typically that leads you towards hardware security modules. If I look at cloud services, generally, I think there's a number of different key management options that are available to anybody picking one of the popular public clouds be that local key management within the cloud, or, or often some form of either customer sourced, bring your own encryption key, or in some cases, a higher level, which is customer managed, the security that you need to apply to your data. I think drives how you look at that key management. And so for the most secure use cases, you'd say hardware security module for things that let rest in the middle, potentially a, a cloud providers, key vault is sufficient. And then at the lower end, you probably have, I suppose, much less skunk controls around the, the, the keys in question potentially with software key stores protected by passwords, if it is low value data and ultimately picking up picking that differentiator between the data I think is, is really important. Of course, if you want to just go best practice all the way through my advice would be put all your keys inside a hardware security module. And that way you can be extremely confident that they are not going to be misused or indeed go missing without your knowledge.
Yeah. So, so again, this, to some extent comes back to the risk that we're looking at, that if the cloud provider is managing the keys and holds the keys, then the risk is that the cloud provider potentially has access to your data. And the Shrem too, rulings recently raised the anxiety of customers that a cloud provider may be subject to governor pressure to disclose data. So that is really the risk there. Now, the next level of risk is perhaps that the administrators within the cloud service provider may go rogue and decide to stay in Saudi or data. The old that you're then looking at things like, well, what happens when the media or the space in the media that your data is held on is reused by some other organization? So all of those things are, or areas where encryption is really important and that managing the keys is, is, is also important. Now, perhaps in that you also spoke about all the various exotic ways that cloud providers talk about this, like bring your own key homomorphic encryption, double encryption. What would you like to just expand a little bit on that?
Yes, I can try. And I have to say, this is an extremely complicated space where there's a large number of buzzwords that arrived in very short order that I think make it confusing and complicated for people coming fresh to wanting to use a public cloud and trying to understand how on earth they handling corruption and key management in this space. So I would give this uncertain a sort of hierarchy of security for your keys from the cloud provider manages the keys, which as you touched on Mike means there is no separation of duties between the people who hold the keys and the people who hold the data. And so that's sort of a base option. One you can then have with most cloud providers, some form of bring your own or customer sourced, encryption key option. And in this scenario, the customer generates a encryption key that they wish the cloud provider to use.
And then typically securely uploads it to the cloud provider. So that still doesn't give you the separation of duties between who holds the key and who holds the data. But it does give you the assurance that the keys, one that you have knowledge of and was created in line with your own organization's best practice. So you can be confident in the security and quality, the key, and indeed its origin. And you know that you also hold the key moving on from there to a 30 year we've then got a customer managed or external externally managed. Oh, and you mentioned debulking encryption also, which is a new from one particular cloud provider. All of these modes of operation mean that the cloud providers customer holds the key and then carries out the encryption and decryption operations on behalf of the cloud provider when they're required. So for example, if a piece of data is being accessed within the cloud provider, the cloud provider will make an outbound request to their customer to say, I need you to decrypt this data, please, or perform this particular crypto operation assign or verify, for example.
And in this scenario, you do get strong separation between the party holding the data and the party holding the key. And you can also therefore have a extremely strong audit layer. We mentioned audit and logging few moments ago, you can have a, an extremely strong layer of audit knowledge as to why the cloud provider is requesting access to your data and when they are requesting access to that data via access to the key. And so let's say us Patriot act and a, essentially a no knock access to data by a government, you'd still see the cloud provider requesting access to the data, even though they couldn't tell you that they were operating under a warrant and the government order. And so that gives, I suppose, the, the fullest amount of security possible in this scenario where your data is resident in a cloud service.
Well, this is an incredibly interesting and wide subject, and I'm sure we could talk about it all day, but since we don't actually have all day, perhaps you could finish off by saying in this complicated world where you are using both on and cloud services, what would your simple piece of advice to organizations be?
I think the simple advice and the first step is data classification discovering classification because once you've solved that problem and you've identified the data that you have at that point, choosing the correct controls to use becomes a much, much easier challenge. And so for me, it's all about discovering classification of data,
Discover and classify your data and then use the appropriate controls. Well, thank you very much. Paul Hampton product manager of Thales security, and thank you very much to the audience for listening. Thank you for your time. Thank you.
