Security of data in the cloud

The concept of Cloud has evolved in the last 20 years, and security concerns have grown with it. The first serious effort to provide data hosting in the Cloud comes with Amazon Simple Storage Service (S3), and with it the security burden to make sure that correct permissions were configured to avoid private data to become public.

Next came Cloud regions, that not only provided faster and better experience to non-US customers but also addressed privacy concerns for undue government access to their data.  In the same tendency, encryption of data at rest was introduced to reassure customer from possible data theft by administrators, and Hardware Security Modules (HSM) became common to perform cryptography operation with securely stored master keys.

But the problem is not only access to enterprise data, because confidential documents sometimes need to be viewed also outside the organization boundary. Right Management Services (RMS) and Azure Information Protection (AIP) focused on this necessity.

With them Microsoft introduced the concepts of Bring Your Own Key (BYOK), Hold Your Own Key (HYOK) and Double Key Encryption (DKE), that require customers to balance the trust on their service provider with the inconvenience of having to secure themselves their master encryption keys.

All this trend confirms the notion that security cannot be reached without a proper management of encryption keys, that must be stored and controlled separately from the data: a Key Management Service (KMS) not only stores the key but offers a clear record of who had access to the keys and for what reason.

Within the same perspective, Thales and Google joined their know-how to make it easy for organizations to follow security and key management best practices, while leveraging the power of Google Cloud for compute and analytics.



Alessandro Miotto, Security Architect at Kyos SA