Laying a solid foundation for cloud security

Deploying cryptography, especially cloud key management solutions, provides organisations with a high level of privacy, control, and flexibility

The rapid increase in cloud adoption rates can be attributed to several factors such as lower capital expenditure, faster deployment, and the ability to meet the same cryptographic requirements as on-premises HSMs. As a result, more and more organisations are choosing to migrate to the cloud. However, as established trends continue to gain momentum, newer trends are beginning to emerge.

Companies are seeking novel ways to make cloud infrastructure more efficient, maximise its functionality, and deliver high levels of compliance.

Organisations are now seeking novel ways to enhance the efficiency of their cloud infrastructure and maximise its functionality. Specifically, many companies are now searching for cloud cryptography providers that can deliver high levels of compliance.

Emerging concern: cryptographic sprawl

Enterprises tend to run hundreds of applications that utilise cryptographic functions in some way or the other. The use of client libraries, third-party tools, and cloud solutions can lead to a proliferation of unmanaged secrets, cryptographic solutions, encryption keys, and applications. An emerging concern in enterprise security is the issue of cryptographic sprawl, which can increase potential security risks and management overhead.

The term cryptographic sprawl refers to the widespread and uncontrolled proliferation of unmanaged secrets, cryptographic solutions, encryption keys, and applications within an enterprise. This condition may initially seem commonplace since the priority is usually given to utilising resources rather than cleaning them up.

Despite its gradual onset, cryptographic sprawl can have a significant impact on an organisation’s operations and costs. Unmanaged secrets can result in potential security threats, while unmanaged keys and cryptographic resources can increase management overhead, causing unnecessary complexities and challenges for the organisation.

To ensure exclusive access to their data, organisations can deploy the cloud key management solution BYOK, Bring Your Own Keys.

According to the Salesforce-Mulesoft Connectivity Benchmark Reports from 2021-2023, enterprises have experienced a 26% increase in the number of applications used, accompanied by a 171% increase in integration labour costs. As most applications have a lifespan of around four years, this necessitates the need to address cryptographic sprawl.

Fortunately, organisations can quickly tackle cryptographic sprawl by implementing a cloud key management solution. As hundreds of applications generate, distribute, and delete thousands of encryption keys, it is important to assess the level of key management maturity within the organisation.

Organisations can begin by conducting a self-evaluation and analysis of their level of key management maturity. For example, they need to find out whether there is a key management solution in place and where the keys are stored. The organisations must also ask whether they are storing keys in an application database, in software, or with full hardware-backed protection. They must also find out whether the keys are partially or fully indexed, and whether they have firm policies to enforce key lifecycles.

If the answer to any of these questions is no, then it is time for the organisation to have a serious talk with a trusted cloud key management solutions provider.

Emerging solution: cloud key management

Cloud key management is an area that requires attention from many organisations, as not all have deployed effective key management in the cloud, even though they have realised the benefits of moving data security to the cloud. Cloud HSM, which can be launched on-demand, provides a quick solution for encryption. Furthermore, cloud key management offers a high level of privacy, control, and flexibility, and eliminates the risks of cryptographic sprawl.

For instance, organisations running applications on a major cloud service provider like AWS or Google have encryption keys to secure their stored and transmitted data. However, in this setup, the cloud provider has access to the keys. This may not be sufficient for organisations with sensitive data. To ensure exclusive access to their data, organisations can deploy the cloud key management solution BYOK, bring your own keys. It allows organisations to create and manage encryption keys that only they can access. Organisations deploying BYOK can dictate how their data is accessed and stored.

External key management (EKM) is another solution that provides organisations with complete control over their keys. With EKM, a third party manages an organisation’s keys, but the organisation still has the ultimate control over the keys. EKM allows organisations to create, store, and manage keys in a separate environment from encrypted data, which enhances data privacy, access control, and key provenance.

The industry can expect to see more demand in the South Asia region for cloud cryptography solutions that can comply with data localisation policies.

Client-side encryption (CSE) is a related cloud key management solution that is gaining traction. With CSE, data is encrypted in a user’s web browser before it can be sent to a cloud provider’s servers, where it is stored in an encrypted form accessible only by the organisation using CSE.

Emerging demand: cloud compliance

There are exciting new cloud solutions, but for companies to deploy these solutions, they need a trustworthy cloud cryptography provider that can meet their compliance objectives, particularly in countries in the South Asian region. India, in particular, has become a global payments hub, with a fast-growing fintech sector that seeks innovative cloud technology.

India is well-known for its robust approach to cybersecurity, as demonstrated by regulations like the RBI Directive 2017-18/153, which mandates that organisations store payment data within India. This has resulted in the demand for cloud providers to expand their global reach and provide cloud solutions locally in India. This involves the establishment and maintenance of cloud datacentres in India to offer data localisation compliance, lower latency, and high availability to the fast-growing Indian payments sector. Key localisation, which involves storing encryption keys locally, is an important requirement.

Local laws in India are also driving the need for data security measures such as public key infrastructure (PKI), a system for managing digital certificates. Digital certificates validate digital objects’ authenticity and can establish non-repudiation of messages and transactions. Non-repudiation provides evidence of delivery, ensuring that neither party can deny their involvement in a transaction or message.

The threat of cyber risks is ever-increasing, but so are the cybersecurity solutions. Deploying cryptography, especially key management, in the cloud can help organisations enhance their security while saving on costs. The cloud also opens the door to cutting-edge solutions like BYOK and EKM.

Going ahead, the industry can expect to see more demand in the South Asia region for cloud cryptography solutions that can comply with data localisation policies. Organisations will also search for solutions that assist them in centralising and consolidating their infrastructure, leading to more efficient management. The future of cryptography may well be in the cloud.

By Ruchin Kumar

Ruchin is VP – South Asia of Futurex

feedbackvnd@cybermedia.co.in