Organizations have rapidly embraced the cloud for its economies of scale and ease of use. It’s much easier to outsource the needed infrastructure, particularly in multi-tenant environments and for mid-market businesses that find it hard to finance infrastructure of their own.
However, security becomes the 800-pound gorilla in the cloud room. Using the cloud is like leaving your house key under the doormat. You have outsourced not only your infrastructure but the encryption keys that secure your sensitive data and files as well.
Who has access to your encryption keys? The answer to this determines whether your data will be secure in the cloud. Unless you have exclusive control of your encryption keys, you could be at risk. Unfortunately, that is not the case with the cloud, and it’s one of the reasons why we continue to get apologetic emails notifying us that our data has been compromised. Each cloud service and software-as-a-service provider represents a huge attack surface and is, therefore, a serious target. With everything moving into the cloud, how do you make key management work? This is a challenge that needs to be solved.
Where are the keys?
The simplest concept in cloud solutions is multi-tenant – applications, database, files and everything else hosted in the cloud. Many organizations assume they need a multi-tenant solution. This is the simplest concept since it’s easy to understand how on-premises infrastructure can be visualized as cloud instances. However, moving key management systems (KMS) to the cloud using any of the three common cloud-based options poses significant risks.
Cloud KMS (you own the keys, but they’re stored in cloud software): A software-based, multi-tenant cloud KMS is especially ill-suited for cryptographic key management. Since hardware resources are shared across multiple clients, there’s a higher level of insecurity to the protection of these keys – the Spectre and Meltdown vulnerabilities are a testament to this.
Outsourced KMS (the cloud service provider owns the keys): Cloud vendors will say that all your data and files are secured and encrypted. That’s good – except if the provider or your account credentials to the provider get hacked (as it did in Uber’s case with AWS). Your files may be encrypted, but if you’re storing your encryption keys with them, then the attacker can decrypt everything if they gain access to your keys as well.
Cloud HSM (you own the keys, but they’re stored in cloud hardware): This is the ideal scenario for protecting encryption keys are secure cryptoprocessors – hardware security modules (HSM) and trusted platform modules (TPM). Although certain risks are mitigated by using a cloud-based HSM or TPM, the fact remains that in the cloud, even applications that use secure cryptoprocessors are still part of a multi-tenant infrastructure. Between attacking a purpose-built hardware cryptoprocessor or an application running in a multi-tenant environment, the application is always the easier target from an attacker’s point of view.
Know the laws
Perimeter security with next-generation firewalls, intrusion detection, and other protective measures is necessary, and cloud providers can deliver it. But securing the core elements of your business – sensitive data and files – against breaches requires encryption using the fundamental “Laws of Cryptographic Key Management:"
Cryptographic keys must be under the exclusive control of multiple key custodians within a single organization.
Cryptographic keys must be protected under the control of secure cryptoprocessors (HSM/TPM).
The sections of the application that use cryptoprocessors to work with sensitive data must not execute within public multi-tenant environments. Not only is sensitive data already unprotected in the multi-tenant environment, but so are the secrets that authenticate the application to the cryptoprocessor, potentially leading to the breach of encrypted data using the secure cryptoprocessor in the attack.
Though it’s good to have laws, it’s unfortunate that there are currently no public clouds that can meet these essential requirements. Organizations that leave security solely in the hands of cloud providers could be in for a rude awakening.
Toward a More Secure Cloud
It doesn’t take a Ph.D. in engineering to map out the solution: store your sensitive data and files in the cloud while retaining exclusive control of their encryption keys under the protection of your own secure cryptoprocessor in a controlled environment outside the public cloud.
Using this framework, the attackers get nothing even if they breach the cloud service provider because they only get access to encrypted information that is of no use to them without the keys. The benefits of the cloud are still realized while maintaining data protection. This allows companies to prove compliance to data security regulations while leveraging clouds, private or public, to the maximum extent possible.
The poor state of cloud security must remain top of mind for organizations invested in the cloud or migrating to it. Even if data used by cloud applications is encrypted, the encryption keys are the real story. Not only does the information need to be kept safe, but so do the keys.
Taking the realities of the cloud environment into account, mid-sized organizations will position themselves for stronger security by adopting enterprise-grade tools and practices.
No one should assume that cloud providers are securing their data. Instead, assume that is not the case and find solutions that apply the laws of cryptographic key management for a more secure future in the cloud.