Event Recording

Eric Wolff: Understanding Best Practices for Cloud Key Lifecycle Management

Cloud Security best practices arise from the shared responsibility model for cloud computing, which states that customers are responsible for the security of data in the cloud. This session will cover the latest trends in cloud security, cloud provider shared security models, and the use of data encryption as a best practice. With cloud encryption key lifecycle management seen by many as a problem yet to be solved, the session will wrap with an overview of CipherTrust Cloud Key Manager from Thales.

Because this is virtual and because you can see my camera, there's a new thing on the internet, as you know, what's that behind you. And what you can see behind me is my solar panels, data aggregator at the top, and a big relief map of the United States. And why can you, why are those things behind me? Because I'm in the laundry room here in Los Altos, California, where it's 4:45 AM and the rest of the family is sleeping. So I'm in a very quiet place. And I'm Eric Wolf, senior product marketing manager. I've been with the product that I'm going to explain to you is a tool to enable you to implement best practices for cloud key lifecycle management. So let's just dive into that. I'm sure that other sessions today have mentioned that sensitive data in the cloud continues to grow. And this slide statistics are from the 2020 Tallis data threat report, which you can get from our website, CPL dot Tallis group.com.
And among the statistics that we find in that report is that an astounding 50% of corporate data is now being stored in the cloud. It is just a staggering proportion of data. It's now in the cloud. And of course that varies by country. And we have a European version of the data threat report on the website now as well, so that you can see Europe's specific statistics. But I think these statistics are proxies for Europe, even though these are stats from the 2020 global report, which also stated that 48% of that 50% of data that's stored in the cloud is sensitive and there's sensitive data needs to be protected. But before I talk about protecting sensitive data, I'd also like to say that a crucial finding from the 2020 tell us data threat report, is that for sure it's a multi-cloud world. And the statistics bear that out where we saw that the vast majority of organizations globally are using two or more infrastructure as a service providers with a similar number using platform as a service provider and a slightly up a slight uptick in the number of organizations.
Now here's where it gets interesting up at the top of the slide. It says two or more infrastructure as a service and two or more platform as a service providers. This last question about software as a service, 83% of organizations are using 11, 11 or more software as a service providers. And this is absolutely no surprise to me because in my daily life, working at tells I use a amazing number of software as a service applications, a little bit fewer. Now that tells has purchased Gemalto and we've adopted some of their it, but still a lot of external software as a service providers in my daily life.
And when you start using cloud computing, you have to, you have to understand that you as a cloud consumer are responsible for data security in the cloud. The cloud provider is only going to be responsible for the infrastructure of the cloud. And let's take a look at that. I'm not making this up. Amazon web services has been talking about this for years and years. This chart first showed up in a blog that was published in 2015, where Amazon was very clear with their customer base saying that they are going to be responsible of security of the cloud versus security in the cloud. And I apologize because for most of you attending this virtual event today, English is not your first language. And we've got this weird subtlety in a couple of prepositions of an in pertaining to the cloud. So let me, let me try to bring this diagram to life by saying that if you just look at the colors you discover that customers are actually responsible for more security in AWS than AWS is themselves.
And I won't go through all the details here in the interest of time, because there's a URL on this slide and you'll receiving the slide with live links, Microsoft. Isn't the only vendor that talks about shared responsibility. And you can see a short time after Amazon published their statement on the shared security model for cloud computing, Microsoft, Azure published theirs. And one of the great things that I love to point out on this slide is the nature of Microsoft as a vendor given by the column labeled on-prem. Because I like to remind people that one of the things that makes Azure kind of cool is Azure leverages Microsoft's enormously long tenure in on-premises computing while they're connecting customers to the cloud. And so I think it's just kind of cute that Microsoft took advantage of a statement on the shared security model to remind customers that well, they're entirely responsible for security on premises with declining amounts of security responsibility, as they migrate from infrastructure as a service, which is lifts and shifts computing to platform as a service where we see rearchitected applications that leverage cloud models.
And then of course, software as a service model, such as such as we find from Microsoft as office 365 and exchange online. And so the shared responsibility model for cloud computing is well established with a couple of slides visible here from two of the largest public cloud providers. And so the question is with the shared responsibility model in place is enough cloud security actually available where in the 2020 data threat report, we learned that 100% of respondents and there were over 1100 surveys issued and a 100% of the respondents to the data threat report survey said that they have at least some sensitive data in the cloud that is not protected by encryption. Now we stated the question in order to get an answer that's very, very common, but the most interesting aspect of this question is that there's sort of an acknowledgement that one of the best ways to protect sensitive data in the cloud is to encrypt it.
And that is shown by the 57% of respondents who said that they're at least encrypting a majority of the data. Now, when I present this slide, I like to provide a historical perspective. When I first went to work for Tallis back in 2016, the data threat report from 2016 said that only 23 or 22% of customers worldwide were encrypting sensitive data in the cloud. So I like to look at a statistic like 57% and say, I think the glass is half full rather than half empty in that every year when we ask in the data threat report survey, how much sensitive data is being encrypted, the number is going up. And again, that personally gives me confidence in my data being stored by my personal providers, such as the banks and financial institutions and e-commerce vendors that I personally leverage in my daily life that have a ton of my data in their cloud properties.
And so where does the notion that encryption is actually a good idea? It turns out that the cloud security Alliance, which is a global organization dedicated to establishing and promulgating best practices for cloud security, the cloud security Alliance has a tool that you can use called the cloud controls matrix the cloud controls matrix is this great spreadsheet that you can download from the cloud security Alliance website and use it to compare and ensure that cloud vendors are implementing their side of the shared security model and provide guidance to you. That you can take responsibility for your side of the shared responsibility model for cloud computing. And because I work for a product that provides encryption and key management, I focus on the section titled E KM enterprise key management and infection. Oh, four of enterprise key management in the cloud controls matrix. We read that in the cloud platform and data appropriate encryption shall be required. So as a best practice for secure cloud computing, we find that encryption shall be required at least as a best practice.
So how can one encrypt data in infrastructure and platform as a service? Well, it turns out that you have a couple of choices for encrypting data in the cloud. On the left, I depict the notion of bringing your own advanced encryption to the cloud. Advanced encryption solutions have some benefits, including more granular and higher data access policies and privilege user access controls that protect data more effectively than cloud provider encryption. In addition, there are other features in bring your own encryption, including security intelligence with SIM integration, the notion of being able to transform data while it's in use and perhaps most important in a hybrid and multi-cloud world bringing your own advanced encryption allows you to move data from the cloud to premises or from one cloud provider to another, without having to decrypt it while it is in motion. But all that being said, cloud providers offer encryption in infrastructure and platform as a service. And for the purposes of this discussion, I'm gonna focus on cloud provider encryption. Why? Because cloud provider encryption is a common customer choice. It's easy. It's, it's turning, it's turned on typically with a, with a checkbox and it can be cost effective, even though it is used with some risk.
So with cloud provider encryption, the question goes to what about the encryption keys? And for that best practice, I return to the cloud security alliances cloud controls matrix. I go back to E K M oh four enterprise key management in the cloud controls matrix. And I read that encryption keys shall not be stored in the cloud, but rather maintained by the cloud consumer or a trusted key management provider and what they were doing there in the cloud controls matrix, as they were trying to leave some flexibility as a best practice for how keys shall be managed.
So what about the question between bringing your own key versus managing cloud keys? So first, what I'm going to say is that from a best practices perspective, the cloud providers have done a pretty darn good job of enabling customers to bring keys to the cloud. It's possible to create and deploy keys into the cloud from HSMs soft HSMs or key management. But as you can see from the red boxes, it can get a little complicated because only the only thing you can really, really do with a key from an HSM or soft HSM is get it into the cloud. Comprehensive key lifecycle management is available with CyberTrust cloud key manager from Tellus. The industry's only cloud lifecycle management solution where creation backup deployment monitoring of the use rotation, expiration management, archival, and key destruction are all available from a centralized console, covering multiple clouds. Here's a closer look at cipher trust cloud key manager.
As I get towards the end of my prepared remarks and enable you to ask your questions. It's a solution that provides cloud, bring your own key services with enhanced security team efficiency, with centralized multi-cloud key lifecycle management for infrastructure platform and software as a service offering, strong encryption, key security and control with the compliance tools that you need when using the cloud. It supports Microsoft Azure, Azure stack the Microsoft, China and Germany national clouds, as well as IBM web services and IBM cloud. And it can secure keys for office 365 and Salesforce and Salesforce sandbox cloud cloud team security efficiency is conferred with comprehensive cloud key life cycle management with automated key rotation, cloud backup key support, the ability to create and enable disabled revoke keys that you bring to the cloud, as well as native cloud keys that we manage through key vault synchronization across multiple clouds, with the ability to create specific cloud keys and support multiple accounts or subscriptions.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00