Demystifying Security of Your Digital Transformation

Home > Blog > Demystifying Security of Your Digital Transformation

Co-authors: Patrick van Helden, Sales Engineer, Benelux, Nordics and Southern Europe; and Joseph Davenport, Sales Engineer

Today’s IT landscape is growing in complexity. As more businesses work through their digital transformation journeys, with increased access to data through 24/7 services and more automated processes, it’s unsurprising that Gartner has forecast a 20.4% [source] rise in global cloud spending as a result.

The heightened adoption of eCommerce, remote working and working from home exacerbated the situation further. Now with more and more providers of IaaS, PaaS and SaaS solutions and services, along with the rising popularity of AI, it doesn’t seem to be showing any let up.

In particular, over the past 4 years, companies rushed to the cloud to be able to keep operating during the pandemic, the quality of security may have been a secondary priority. Now with usage rates and regulations continuing to grow, the security of company and personal data has become even more important, especially when it is reported that 82% data breaches were in the cloud [source].

Advice from the National Cyber Security Centre (NCSC), who provide practical advice to businesses and public service organisations in the UK, was to use the KMS offered by your cloud provider [source], “… key management is a complex and subtle topic. This means that a cloud KMS (key management service) is there to make your life easier and help secure the data you store in the cloud.”

When relying solely on the security protocols of your Cloud Service Provider (CSP), you are effectively handing over the standard of security to a third party. This may be considered fine, cheap storage for some data, vs data centre/on prem environments, or perhaps it was deemed as appropriate during the worldwide pandemic.

However, the time is now, and for sensitive data, privacy concerns in relation to GDPR regulations, and zero trust best practice, arise in relation to storing keys where you store your data.

Many have made the analogy of leaving unencrypted data in the cloud is like leaving your door open; and leaving your encrypted data in the cloud with the keys, is like leaving your keys in the door. Before deciding on a cloud-security standalone approach, it’s worth thinking through a few practical elements.

Firstly, consider are there consistent standards across CSPs to ensure the levels of exposure prevention and privacy standards you require?

Taking the door key analogy, would the CSP use an iron door with fingerprint recognition, or a heavy-duty door with multiple locking points and a dead bolt, or just a single lock mechanism in a thin door which is easy to kick through? What level is correct for the data you are storing?

Regain Cloud Data Control

OWASP A02:2021 details Cryptographic Failures, and the associated risks with the incorrect implementation of cryptographic systems, including the use of insecure algorithms, poor key management practices, and insufficient protection of sensitive data.

To follow the OWASP best practice, organisations can utilise a BYOK (Bring Your Own Keys) solution in the cloud provider. In addition to the native key vault environment, BYOK across AWS, GCP, Azure and Salesforce, gives control and transparency around key availability and cryptographic policies to remain compliant – effectively your organization retains ownership and can revoke, or rotate keys as needed, providing an additional layer of security management.

In particular, an external Bring Your Own Key (BYOK) from Fortanix has several advantages compared to relying on a CSP's keys:

Full Control: Organisations maintain control over their cryptographic keys, even though they are used in the cloud environment. The ability to revoke and rotate keys remains with the organisation, which provides an improved layer of security.
Advanced Cryptographic Policies: Organisations are able to lock down the algorithm and key size used or add relevant information about the key creator and/or requestor, and how the key is being used. Quorum policies require multiple approvals before sensitive cryptographic operations can proceed, preventing unauthorised access or action, unless the consensus of multiple trusted individuals have been passed.
Audit and Accountability: Cryptographic keys and their operations can be tagged and categorised giving granular control for improved management, auditing and compliance tracking. This can enhance accountability and provide traceability, which is crucial for security audits and compliance reporting.
Compatibility and Flexibility: External HSMs can be used across different platforms and environments, providing flexibility in key management strategies. This can be advantageous for organizations that utilize multiple cloud services or have on-premises infrastructure

However, in industries such as banking, finance and healthcare, regulators impose stricter requirements, due to the nature of the sensitive data in use. Organisations who require higher security standards, need full control over their cryptographic keys, regardless of the infrastructure in which it resides.

Full control in this instance refers to the sole possession, and safe management, of the encryption keys at all times – whether using an HSM (Hardware Security Module) or KMS (Key Management Software) – often referred to as HYOK “Hold Your Own Keys”.

This provides the business with the ability to rotate, as well as immediate revocation of keys, along with the deactivation of the key URLs. It is only when a key is reactivated, that data is made accessible, otherwise the data can be immediately crypto-shredded.

Going back to the house and keys analogy, using an external key management solution like Fortanix Data Security Manager (DSM), means whether you are in the house or away from home, you always have ownership of the keys, and the keys are attached to a tracker so you can always find them.

What happens when you use multiple cloud providers, or a hybrid IT environment?

According to research [source], around 90% of enterprises have a multi-cloud strategy, with 80% driving a hybrid cloud strategy—a combination of public and private clouds. Each cloud provider with their own security standards, reporting, and procedures.

When a data breach happens, and you need to identify, stop and remediate – quickly. With security solutions in place across each cloud environment, as well as on prem, reviewing the security logs, in different formats and reports, leads to a slower and less effective resolution – and more skills needed across the team to operate the individual scenarios.

For organisations holding data across multiple clouds, BYOK within the CSP security environment(s), still ensures a single unified view, with the same cryptography, metadata and quorum policies across clouds and unified key management. This simplifies key management and reduces complexity, for faster remediation as required – however for an audit trail, the organisation is reliant on the logging system from the CSP, which doesn’t support zero trust principles.

By comparison, when an organisation needs a higher level of security for regulatory compliance and utilises a KMS or HSM independent of the CSP, data is encrypted before it is placed in the cloud, and then decrypted using an on-premises master key. Meaning sensitive data remains safe in the cloud at all times.

Importantly, within an HYOK solution, by encrypting and decrypting outside of the CSP, organisations are no longer reliant on the logging reports of the CSP. This means that when there is a need to audit and track access to data, whether across one cloud or multi-cloud providers, an organisation has complete trust with one source of truth – instantly and in real time - all based on the user access rights confirmed for data access.

In addition, if any unusual activity is witnessed, based on parameters an organisation sets, the HYOK solution will send a notification for investigation and remediation, whilst an AI generated process automatically closes off and locks the data, to proactively prevent a potential breach. Immediately Zero Trust in the cloud is enabled.

Focussing on Security

At Fortanix we specialise in cybersecurity for organisations today and into the future. As an expert in this field, and pioneer in Confidential Computing, we empower leading brands and government agencies, to secure their most sensitive data at rest, in motion, and in-use and remain compliant with regulations worldwide. 

Fortanix acts as a third party with no access to the data, but the ability to simplify your security posture management through our Data Security Manager (DSM) platform, providing additional security solutions such as state-of-the-art encryption, key management, and data tokenization that can be managed from a single integrated platform.

As part of the Fortanix DSM platform, our award-winning key management solutions are FIPS 140-3 compliant, offering automated redundancy, full audit logs and access control. Key Insight works in partnership with DSM, providing the ability to query a current security stance, and immediately act on exposure risks and concerns, whether on prem, in the cloud or hybrid environment.

Fortanix believes in a data-first security strategy, as traditional perimeter approaches are insufficient. Don’t just take our word for it, you only need to go online to see, cloud security alone doesn’t seem to be working.