Lock Up Your Data and Throw Away the Key Store
Our passwords, credit cards, and email addresses are under siege daily as cloud store security breach headlines continue to hit the news.
In a lot of these stories, the data in question was encrypted. Not just hashed but truly encrypted with keys, presuming that unless the thief also manages to access the key store then your information is safe.
But safe from whom? If a thief, then yes. If your keys are themselves secured, then your information should be safe.
However, in my experience, most hacks seem to come from an internal source, such as from an unhappy employee, an ex-employee who was sacked this morning, or an employee who has an axe to grind. The disgruntled employee can use inside knowledge to share a virus, share documents with rivals, or misuse company and personnel data. If this organization is a cloud store or service provider that also holds and owns your encryption keys, then in any one of these cases your information is far from safe.
The recent stories about the sharing of celebrity nude photos and emails has caused individuals and companies to wonder about the security of data stored in the clouds and ask such questions as: Is the data encrypted at the server, while in transport? What level of encryption is used and how much authentication is performed?
As that employee could also have access to the keys to the cloud store, and then your data is no longer encrypted. This is not as far-fetched as it may seem. This has been the case for many breaches over the past few years. It is, however, hard to substantiate that statement as the industry resolutely refuses to talk about breaches “for security reasons!”
And what about those scenarios when a government or legal authority decides that they need access to your corporate information? This is not necessarily theft, but it can be unwanted access. According to the US’s Communications Assistance for Law Enforcement Act (CALEA), a communications provider of any size must allow government agencies access to data. The service providers are not told why the data is needed, only that they must comply.
Government should have the right to do this. In fact, I believe them when they say that having this right has secured us all from many security threats. The question here though is one of accountability. If your supplier owns your security, then they are obliged to pass over not just the documents, but also the keys that allow this information to be decrypted without your knowledge.
The issue is not that the government has access; the bigger threat is lack of knowledge about where corporate data is headed. If you had ownership of your security, then the government department would come to you directly, giving you the opportunity to directly pass this information across with full knowledge and the accountability that goes with that.
In summary, if you pass your security to a third party, and they own and store your encryption keys, then you have lost control of your information. It is imperative that you own and store these separately from your cloud suppliers. If you do not, then your information can be stolen or subpoenaed without your knowledge. This in turn could cause you both monetary loss and possible customer embarrassment.