Light Dark
February 28, 2017 By Rick Robinson 4 min read
Data Protection
Cloud Security

Organizations are adopting encryption at a rapid and increasingly urgent pace. Why? Because encryption helps organizations support dynamic industry regulations while also protecting sensitive data that’s placed in the cloud.

The trend of adopting public cloud solutions continues to grow, but protecting critical data in the cloud is still a major concern. It’s critical to protect data against external breaches and unauthorized access by cloud service providers. Collectively, organizations are diligently working with consultants and suppliers to implement solutions to keep their data safe.

Deleting Sensitive Cloud-Based Data

In many specific instances, companies want to prevent their data from being accessible to cloud service providers (CSPs). However, organizations are now facing a new dilemma: What are they supposed to do when they want to permanently delete their data in the cloud?

Regulatory compliance and cloud data protection are two driving reasons for establishing encryption and encryption key management strategies. Furthermore, in the new world of cloud data security, the old concept of a “castle” has become ineffective; the concept of a curated “museum” is much more applicable to cloud data security. In this new world, organizations want to share data appropriately with many users and platforms without running the risk that it will be taken, changed, hijacked, destroyed or accessed by unauthorized users.

Read the White Paper: Guard your organization’s data with intelligent IBM encryption

To complicate matters, the value of data can change quickly. As we know, information such as quarterly financial data has high value prior to its disclosure, but the necessity to keep it private significantly declines once the announcement of financial performance is released to the market. However, other data, such as pharmaceutical trial data, HR information from divested organizations and historical notes on litigation proceedings, can quickly become a liability if it is unintentionally disclosed to the wrong party after the collective work on these efforts has been completed.

When you combine the need for privacy, the desire to collaborate using shared data and the trend of leveraging cloud applications and storage, you can see the need to not only protect cloud-based data, but also to manage it throughout its entire life cycle, from creation to destruction. Furthermore, in the case of cloud deployments, this process needs to be managed and controlled in an environment that is not physically under your control. This last requirement raises the following questions:

  • How can you control sensitive cloud-based data?
  • How can you control the life cycle of that data?
  • How can you manage your liability?

The Magic of Cryptographic Erasure

Encryption has historically been used to protect data against unauthorized use. However, encryption can effectively erase data as well. This is called cryptographic erasure.

The National Institute of Science and Technology (NIST) released “Special Publication 800-88, Revision 1: Guidelines for Media Sanitization,” which detailed how encryption is part of media and data sanitation.

“If strong cryptography is used,” the publication stated, “sanitization of the target data is reduced to sanitization of the encryption key(s) used to encrypt the target data.” In laymen’s terms, this means that if the data is encrypted and you destroy the keys, the data is erased.

Of course, there are some qualifiers to claiming sanitization by cryptographic erasure. First, you must ensure that you have encrypted the data from the moment it was originally stored. Next, verify that you have exclusive access to all data encryption keys and ensure that all keys are wrapped under one or more wrapping keys. Finally, delete the wrapping keys to render the data encryption keys and data itself unrecoverable. Fortunately, these steps are not difficult to follow if you have the right tools.

For example, if you have a petabyte of data that has been encrypted from the moment it was placed in the cloud and control over the wrapping keys that protect the data encryption keys, then when you delete the wrapping keys, you render data encryption keys — and the petabyte of data — useless. This happens regardless of where the data is stored or whether you can even access the storage environment. In other words, you can effectively erase a petabyte of data by deleting just a few kilobytes of keys. That’s cryptographic erasure, and it’s powerful.

Encryption Key and Life Cycle Management

Naturally, you may want to recover the petabytes of bits associated with your now-useless data. Why pay to store petabytes of random bits? However, that is secondary to the erasure of the data itself.

The logistics of implementing cryptographic erasure fundamentally requires the system that stores and encrypts the data to be separate from that of encryption key management. Leveraging key life cycle management software packages helps maintain separation of these duties and functions.

Related: Do You Have the Key to Protecting Cloud-based Sensitive Data? (Hint: E-N-C-R-Y-P-T-I-O-N)

Keeping your encryption engine separate from the encryption keys, as well as keeping the keys well-managed, is not just a best practice, but also keeps you on the right side of regulations and helps protect your most precious assets — your encryption keys and encrypted data — from threat actors. Remember that storage is inexpensive, but data is becoming infinitely more valuable, both as an asset and a liability. Control your data, protect it and ensure that it has a clear life cycle that you control.

The future architecture of data protection is clearly modular. We need to:

  • Constantly monitor our data, its classification and its usage;
  • Protect our data, regardless of its location, through encryption;
  • Manage our encryption keys, because they protect larger quantities of data and enable us to sanitize data when the data life cycle is complete; and
  • Monitor our encryption keys to ensure that they are inventoried, accessed only by authorized processes and people and constantly evaluated for strength and applicability.

Following these practices ensures that your data, protected through encryption, will provide value through its lifetime and can be securely deleted when no longer valuable.

Protecting Data in a Multicloud Environment

To protect data in a multicloud environment, organizations should still focus on implementing centralized policy management as well as centralized key management.

Guardium for Multi-Cloud Data Encryption offers the ability to encrypt cloud data across multiple clouds. It also integrates with IBM Security Key Lifecycle Manager. This combination of local but highly redundant key management, and the ability to concurrently manage tens of thousands of encrypted file systems or volumes in multiple clouds, gives organization the tools they need to protect and manage the entire life cycle of data regardless of where it resides.

Download the White Paper: Guard your organization’s data with intelligent IBM encryption

 |  |  |  |  |  |  | 
Rick Robinson
Product Manager, Encryption and Key Management

More from Data Protection
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature