By Michael Hughes, Chief Business Officer, Unbound Security
With remote working becoming widespread among businesses due to the Covid-19 pandemic, the uptake of cloud computing continues to rapidly grow. In fact, enterprise cloud spending rose 59% from 2018 to 20201, with 54% of enterprises’ cloud-based applications moving from an on-premise to a cloud environment. The cloud juggernaut shows no sign of slowing in the coming years.
But as an increased number of organizations shift their workloads to the cloud to benefit from cost savings and more agile and innovative processes, potentially major security challenges await them, particularly if a hybrid option is chosen. In fact, analysts IDC2 estimate that more than 90 per cent of enterprises worldwide will be relying on a mix of on-premises/dedicated private clouds, multiple public clouds, and legacy platforms to meet their infrastructure needs by 2022. As companies distribute their data via increasingly complex hybrid cloud infrastructures, they need to cast a wider security net as the volume of information exchanged continues to exponentially increase.
In tandem with the stricter demands placed on businesses by regulators, these developments make it more crucial than ever for effective encryption keys to be used in the protection of data. For businesses that have invested heavily in on-premises infrastructure, hardware security modules (HSMs) or apps partially in the cloud, the inability to secure and manage the cryptographic keys that protect their data across a multitude of scenarios can have potentially damaging consequences.
In the case of IT managers opting for a cloud migration that requires the continued maintenance of some existing hardware, wide ranging issues can also materialize from this strategy. Managing multiple systems can be a time-consuming task, along with the need to create multiple keys for varying solutions depending on authentication path and application supported. Developers and solution architects take on the biggest migration risk, as the comprehensive work that has gone into developing an application once then needs to be refactored multiple times over to ensure that keys work anywhere in the cloud and at any time.
Many organizations may choose to rely on solutions provided by major cloud service providers to manage their key management, utilizing their encryption capabilities. This method however has risk involved, as there is a basic security flaw in having the keys held by the same entity that holds the data. It is not just penetration by criminals that businesses should concern themselves about in this respect, as it is the government warrants and subpoenas that may force CSPs to open up what they hold.
Alongside this vulnerability is the issue of management. Consistency of data governance across the wide and varied infrastructure of an organization, including any on-premises hardware provision, becomes much more difficult in the instance of keys being managed by the cloud provider. The method in which CSPs’ solutions deliver a segmented picture of the key logs and usage reports makes it an impossible task for enterprises to manage their entire range of keys in one place, while being unable to have sufficient visibility across all their sites.
This can have negative implications for the time-to-market of new and existing applications, as keys are required in each case to ensure each specific security policy is met. Additionally, security is potentially compromised when organizations are unable to manage keys across disparate sites because of dependencies on the applications they are looking to authenticate, each having been written to specific cloud requirements.
With this mind, how do enterprises find the solution? The answer is to arrange security with a third-party solution that overrides the need to refactor numerous applications to ensure their compatibility across each cloud environment. Enterprises need to write and manage their own keys on a separate, one-stop platform using multi-party computation (MPC).
MPC splits a secret key into two or more pieces and places them on different servers and devices. As all the pieces are required to obtain any vital information about the key, but are ultimately not assembled, so hackers have to go through the process of breaching all the servers and devices in order to gain a foothold. Strong separation between these devices (for example, different administrator credentials and environments), provides a very high level of key protection.
By adopting this approach, enterprises that use multi-cloud or hybrid cloud infrastructures find themselves benefitting from absolute clarity on their security and surveillance, with information about all their keys and digital assets such as the way in which they’re stored and how they’re being programmed and utilized. No longer do enterprises need to take risks with the use of cloud crypto keys.
For organizations planning to benefit from greater and innovation and efficiency in the future via cloud migration, use of an MPC platform enables them to secure and manage encryption keys in the most efficient way. It proves to be agile, adaptable and accessible without comprising on their all-important security measures.