As enterprises respond to the acceleration of remote working, hybrid cloud adoption continues to increase—but security remains a persistent blocker. Marcella Arthur, Vice President of Global Marketing at Unbound Security, looks at how emerging approaches to key management are enabling enterprises to rethink and assert control over their cloud strategies.
By 2025, the number of Americans working from home is expected to increase by 87% to 36.2 million. As remote working continues to rise, so too does the uptake of cloud computing. In fact, enterprise cloud spending rose 59% from 2018 to 2020, with 54% of enterprises’ cloud-based applications moving from an on-premises to a cloud environment.
By next year, analysts at IDC estimate that more than 90% of enterprises worldwide will be relying on a mix of on-premises/dedicated private clouds, multiple public clouds, and legacy platforms to meet their infrastructure needs. As companies distribute their data via progressively complex hybrid cloud infrastructures, they need to extend their security perimeters to protect the increasing exchange of high volumes of data.
Stricter demands placed on businesses by regulators mean these developments make it more crucial than ever for effective encryption keys to be used in the protection of data. For businesses that have invested heavily in on-premises infrastructure, hardware security modules (HSMs), or apps partially in the cloud, the inability to secure and manage the cryptographic keys that protect their data across a multitude of scenarios can have potentially damaging consequences.
When deciding on a cloud shift, IT professionals face the time-consuming tasks of maintaining multiple systems, ensuring existing hardware remains intact, and implementing key management solutions. Developers and solution architects take on the biggest migration risk, as the comprehensive work that has gone into developing an application once then needs to be refactored multiple times over to ensure that keys work anywhere in the cloud and at anytime.
In the case of key management, businesses may choose to rely on solutions provided by major cloud service providers (CSPs) to utilize their encryption capabilities. However, there is a basic security flaw in having the keys held by the same entity that holds the data. It is not just penetration by criminals that businesses should concern themselves with in this respect, as it is the government warrants and subpoenas that may force CSPs to open up what they hold.
Beside this vulnerability is the matter of management. Consistency of data governance across the wide and varied infrastructure of an organization, including any on-premises hardware provision, becomes much more difficult in the instance of keys being managed by the cloud provider. The method in which CSPs’ solutions deliver a segmented picture of the key logs and usage reports makes it an impossible task for enterprises to manage their entire range of keys in one place, while being unable to have sufficient visibility across all their sites.
The time-to-market of new and existing applications may suffer as a result, as keys are required in each case to ensure each specific security policy is met. In addition, security is potentially compromised when organizations are unable to manage keys across disparate sites because of dependencies on the applications they are looking to authenticate, each having been written to specific cloud requirements.
This prompts the question of how enterprises can find the right solution. The answer is they should consider arranging security with a third-party solution that overrides the need to refactor numerous applications to ensure their compatibility across each cloud environment. Organizations need to write and manage their own keys on a separate, one-stop platform using multi-party computation (MPC).
An MPC platform splits a secret key into two or more pieces and places them on different servers and devices. All the pieces are required to obtain any vital information about the key but are ultimately not assembled. Therefore, hackers have to go through the process of breaching all the servers and devices to gain a foothold. Strong separation between these devices (for example, different administrator credentials and environments) provides a very high level of key protection.
Considering more modern cryptographic platforms like those underpinned by MPC will help enterprises regain control in a cloud environment. Organizations with multi or hybrid cloud infrastructures will achieve complete clarity on their security and surveillance; how their keys and digital assets are stored, programmed, and utilized; and who is using them.
For organizations looking to achieve greater innovation and efficiency, an MPC platform can provide an effective security and management of encryption keys. By adopting this approach, businesses can ensure controlling crypto keys is not a leap of faith, but a gain in agility and visibility of all assets, anywhere, anytime.
Marcella Arthur is Vice President of Global Marketing at Unbound Security. During her career, Marcella spearheaded two successful IPOs and led the global marketing and channel strategy of several of the world’s technology innovators and IT security vendors, including Sybari, Mimecast, and Microsoft.