Data Storage: Who’s Got the Encryption Key?

Posted on by

Encryption is a very basic security measure. But there are some serious issues swirling around encryption, especially if you have handed off your data to a cloud provider.

Encrypting data in-transit is standard and many service providers (SP) will give you the option of encrypting data at-rest. Dont take at-rest encryption for granted because there is another step you must take. Ask yourself: when I direct my SP to encrypt my stored data, who decrypts? Who holds the keys to the kingdom?

It may be your cloud provider who holds your encryption key. Most of them will do their best to protect your data and keys. But its an uncertain world out there. Online thieves can steal the key, NSA can subpoena it, determined hackers can break it, and failing cloud businesses can take it down with them.

Lets take a closer look at these very real threats to encrypted online data storage.

Hackers. A well-organized hacking group attacked an ecommerce website, stealing customer information including credit card numbers. The website owner admitted the data loss but thought that customer data was safe because it was encrypted. Sadly for the company, it had stored encryption keys on the same server that held customer data. The sophisticated hackers stole the keys right along with the information and promptly decrypted and posted the data.

Government. The NSA regularly taps large service providers for customer data and if you store your data with them you are vulnerable. Even if your data is encrypted, if the SP has the key they can decrypt your data. And if they are threatened by a subpoena, they probably will.

You may decide to turn your data over to the NSA if they subpoena you, but the point is that this should be your choice. Not the NSAs and certainly not your service providers. Or what about the scenario where the NSA does subpoena you, you decide to decrypt and turn over your data to them and you dont have the encryption key. Imagine NSAs sense of humor at that response.

Internal intrusion. Never assume that your data is kept private from the service provider employees. Most of them are honest to a fault -- but not all of them are and your data is at risk if they control your encryption keys. And while youre at it, check to see that your provider carefully screens their employees and tracks their activities while at work. A tad big-brother-ish perhaps, but remember Edward Snowden? No matter what your opinion is on his activities, you probably do not want a Snowden of your very own.

Going Out of Business. Many online backup service providers operate on razor-thin profit margins and are close to failing or are actively looking to be acquired. If they have your encryption key you may or may not be able to get your data back when you need it. If they are the ones who own your encryption key, they may take your key and your encrypted data down with their ship.

Service providers are well aware of these issues around encryption keys. One common solution is storing their customers encryption keys separately from data, in a different physical server system or a different partition. This does work against outside intrusion but does not help much against internal employee mistakes or malice.

Original post:
Data Storage: Who's Got the Encryption Key?

Related Posts
This entry was posted in $1$s. Bookmark the permalink.