A recent blog post from an IT publication touched on a topic we've discussed before – the ability for IT service providers and their clients to retain ownership over the encryption key they use to back up their data. It's a factor that could be particularly crucial to secure data management in sensitive sectors like healthcare and government.
FCW, a tech blog for government IT professionals, recently reported that the shift to cloud services has led to new challenges with respect to encrypted data backup. Although, at least on the surface level, data encryption is relatively similar in the cloud when compared with traditional storage measures, one challenge in encrypting data to the cloud involves encryption key ownership.
FCW cited research from the National Institute of Standards and Technology titled "Cryptographic Key Management Issues and Challenges in Cloud Services" to support this concept. The NIST report says key management becomes more complicated because many more parties, including cloud service providers, brokers and businesses, have a stake in the issue.
"The problem with encryption has been around the key management strategy," James Chistiansen, chief information risk officer for security firm Risky Data, told FCW. He went on to explain that "if I think about attacking a company and how I would attack it, I would always attack the key management system. Why attack AES-256 data when you can just attack the keys?"
According to Christiansen, part of the issue is that many public cloud providers encrypt data with just one key, and customers often aren't asking enough questions to know how well the provider can manage that key. He suggested a handful of ways to address the risk, including the idea of owning your own encryption keys
How private key encryption helps
We've discussed private key encryption before on this blog, mainly because it's a valuable tool some businesses don't realize they can use. And it's especially crucial in industries like healthcare, where the risks of leaving sensitive data unencrypted is simply too high.
What's the solution for IT managed services providers? To start, it helps to work with a cloud service provider that takes extra steps to encrypt their data in transit and at rest, as we do for our partners. In addition, as Christiansen advised, having a private key option can be a big benefit in highly secure and regulated industries like finance and government.
Intronis makes a private encryption key available to our partners, and for those who do take advantage of this option, we recommend keeping the key secure in an escrow account or alternative location. We don't keep a copy of our partners' private keys, so MSPs who take advantage of it really do have the keys to their clients' data entirely in their hands.