Tips: Best practices for cloud data protection and key management
How to securely and effectively allow customers to have more control and responsibility over their encryption keys.
Digital transformation is a persistent trend that has resulted in fundamental shifts in storage, access, and management of digital assets.
Recognizing the importance of data protection, cloud service providers now offer data encryption and key management services. These services can be used across the different types of infrastructure offered by the respective service providers.
However, while native encryption and key management services offer good-enough protection, many organizations – especially those in highly regulated industries, such as finance, banking, insurance, and healthcare – need higher levels of assurance for risk management and compliance.
Many security-conscious organizations have an additional requirement that all data encryption keys must be created, stored, and managed using a FIPS 140-2 level 3 certified key manager. In response to such higher assurance requirements, cloud service providers have begun offering features such as Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK).
This paper describes security best practices for protecting sensitive data in the public cloud and explains concepts such as BYOK, HYOK, key brokering, and Root of Trust (RoT), and the level of data protection that can be achieved by using cloud-native encryption and key management services and how these can be augmented by allowing customers to take more responsibility for and control over their keys.