The folks responsible for data privacy carefully review their cloud provider’s encryption measures. Encryption in-transit? Check. Encryption at rest? Check. Strong encryption key? Check. They breathe a sigh of relief at the right answers, sign the contracts and upload the data. Security hole closed.
Or is it? What guarantee do you have that your cloud provider will not access your data? None. In fact, encryption key holders or hackers can easily compromise data privacy in the cloud.
Service providers are not blind to the encryption key problem and they don’t want to be blamed (read: sued) for letting it to happen on their watch. So they offer different options to secure your encryption keys. One common offering is to save your encryption key separately from your data and regularly rotating the encryption code. This is a good measure against outside intrusion, not so much against inside. As long as your provider can access your encryption keys then they can access your data. Privacy flies out the window.
Another way that service providers offer security is by making you do it. In this case you deploy a server on your site that houses encryption keys behind your firewall. Note that the cloud provider has cleverly taken the security onus off themselves and put it squarely on your shoulders – not exactly the optimal solution for cloud backup, which is supposed to relieve you of hardware and management complexity.
Instead of these “solutions,” we strongly suggest that you use two-factor encryption key management. There is no single encryption key to be exposed or stolen because the key is separated into two parts, one residing with the user and one in the cloud.
This technology generates a unique encryption key for each user session, and the user’s network password encrypts the token. When the user signs on with an authenticated identity the password decrypts the unique token and the token decrypts user for that user in that session. This token is immediately deleted following the end of the session. The service provider never has access to your encryption keys.
The result is extremely secure encryption key management that does not require the expense and overhead of providing your own key servers. You and your cloud provider can also dispense with closely monitoring employees, who understandably resent the implications.
You may have heard “What you don’t know can’t hurt you.” At Druva we think that’s nonsense. What you don’t know about cloud backup can definitely hurt you. Don’t get blindsided: download Druva’s white paper “5 Things You Didn’t Know About Cloud Backup” today.