Due to economies of scale and ease of use, many organizations are now quickly adopting
cloud computing, which is much easier than outsourcing the required infrastructure, especially in multi-tenant environments and mid-market enterprises. It is difficult to obtain more funds for their own infrastructure.
However, security has become a major challenge for organizations adopting
cloud computing. This is because many organizations not only outsource infrastructure, but also outsource encryption keys to protect sensitive data and files.
So, who has access to the organization's encryption keys? It depends on whether the organization's data is secure in the cloud. Unless the organization has exclusive control over the encryption key, it may be at risk. Unfortunately, this is not the case. This is one of the reasons why many organizations receive emails and learn that their data has been leaked. Every cloud computing service and software as a service provider represents a huge threat, so this is an important goal. As organizations migrate everything to the
cloud platform, how can companies better manage keys? This is a challenge that needs to be resolved.
Where is the key?
The simplest concept in cloud computing solutions is multi-tenancy-applications, databases, files, and all other content hosted in the cloud platform. Many organizations think they need a multi-tenant solution. This is the simplest concept, because it is easy to understand how to visualize internal infrastructure as an instance of cloud computing. However, using any of the three common cloud-based options to move a key management system (KMS) to a cloud platform brings huge risks.
Therefore, although it has only just been used for encryption, artificial intelligence is gradually becoming ubiquitous.
Cloud KMS (the organization owns the keys, but they are stored in the cloud platform software): Software-based multi-tenant cloud computing key management systems (KMS) are particularly not suitable for encryption key management. Since hardware resources are shared among multiple clients, the protection of these keys is more insecure-the "Spectre" and "Meltdown" vulnerabilities are proof of this.
Outsourcing KMS (the cloud computing service provider owns the key): The cloud computing provider indicates that all data and files of the user are secure and encrypted. This is fine-unless the account credentials provided to the provider by the provider or organization are threatened by hackers. The organization's files may be encrypted, but if it stores the encryption key in it, the hacker can decrypt all access to its key.
Cloud HSM (the organization owns the keys, but they are stored in the cloud platform hardware): This is the ideal solution to protect the encryption keys, namely the secure cryptographic processor-Hardware Security Module (HSM) and Trusted Platform Module (TPM). Although the use of cloud computing-based hardware security modules (HSM) or trusted platform modules (TPM) can mitigate certain risks, the fact remains that in the cloud, even applications that use secure cryptographic processors are still multi-tenant infrastructure Part. Between dedicated hardware encryption processors or applications running in a multi-tenant environment, from a hacker's point of view, applications are always more vulnerable targets.
Understand relevant laws
Peripheral security, detection, and other protective measures of next-generation firewalls are necessary, and cloud computing providers can provide these measures. However, to protect the core elements of sensitive business data and documents from infringement requires the use of the basic encryption key management method for encryption:
Encryption keys must be exclusively controlled by multiple key managers within a single organization.
The encryption key must be protected under the control of a secure encryption hardware security module (HSM) or trusted platform module (TPM).
The part of the application that uses cryptographic processors to process sensitive data must not be executed in a public multi-tenant environment. Sensitive data is not only unprotected in a multi-tenant environment, but the same is true for the authentication of the application used for the encryption processor, which may lead to the use of the secure encryption processor in threats to destroy the encrypted data.
Cloud security
Although enacting relevant laws is a good thing, unfortunately, there is currently no public cloud that can meet these basic requirements. Organizations that completely hand over security to cloud computing providers may be at risk.
Towards a more secure cloud platform
It is not difficult to formulate a solution: store the organization's sensitive data and files on the cloud platform, while retaining exclusive control of the encryption keys under the protection of its secure cryptographic processor.
Using this framework, even if hackers enter the cloud platform, they cannot obtain any content because they can only access encrypted information that is useless to them. While protecting data, the advantages of cloud computing can still be realized. This enables companies to use cloud platforms, private clouds or public clouds as much as possible while applications that also prove compliance with data security regulations.
For organizations that adopt cloud computing or migrate to cloud platforms, the poor cloud computing security state must always be in the first place. Even if the data used by the cloud computing application is encrypted, the encryption key is real. Not only the information needs to be kept safe, but the keys also need to be kept safe.
Taking into account the reality of the cloud computing environment, small and medium-sized organizations will ensure their own stronger security by adopting enterprise-level tools and practices.
No organization should assume that cloud computing providers are protecting their data. In contrast, this is not the case. Organizations need to find solutions to follow the laws of encryption key management and achieve a more secure future in the cloud.
