The premise of security is confidentiality, integrity, and availability. The premise of data protection is integrity and availability. The two go hand in hand. However, it is often the case that certain groups within organizations handle data protection (disaster recovery, business continuity, and backup) while other groups handle security. As security moves closer and closer to the data, could it perhaps be time for these two disciplines to become one? The security of data protection is becoming just as important as the security of the data within use. The management of the security of in-use data and protected data, regardless of location, is paramount. This means data stored on-premises, in the cloud, and remotely.
So, how do we achieve the necessary security? All packages, whether from Veeam, Unitrends, HotLink, or others, include encryption technology. Tools such as Cloudtools Shift include data encryption for data in motion but rely on others’ encryption of data within the target cloud. Amazon and other target clouds use in-VM and EBS-based data encryption. Encryption is a tool often controlled by security teams, except when it has anything to do with backup. Then, it is usually a set-and-forget item. Unfortunately, you cannot forget encryption, as you have to maintain your keys safely.
Key management needs to be done in such a way that all parties who need access can manage the keys. If your tape drive, for example, encrypts for you, you need to get the key, so that if you change tape drives you can continue to decrypt the media. The same goes for self-encrypting drives. However, outside of hardware encryption, it is crucial to maintain a library of your encryption keys so that you can recover your data as needed, whether for availability reasons or even for integrity checks.
As we move data around the cloud and store it in so many different places and services, control of this encryption is vital. Doing so at a mass scale is an issue. It is simple to store a just few keys, but what about thousands, or tens of thousands, or more? For that, you need a repository. Vormetric, SafeNet, and other encryption companies offer key and key material storage.
Scale makes a difference. As many clouds will tell you, scale breaks many tools. Encryption is one such tool, and it is a tool that tenants should really take control of. Tenants should establish a way to store their encryption keys from multiple clouds. This repository should store keys, certificates (for SSL), and other encryption material. In addition, keys should be regularly tested and checked for expiration, or a set of keys should be rotated through as key people leave or arrive.
This becomes one more hidden cloud dependency. It is not the cloud provider that should be managing encryption, but the tenant. The cloud provider can provide a means to encrypt, such as via HyTrust DataControl, Veeam repository encryption, or some other means. However, the keys should be managed by the tenant. That tenant could span clouds. This means that the tenant needs to be able to decrypt its data wherever the data ends up, regardless of which cloud. How can a tenant do this? Solutions to this problem include either using one encryption package—such as HyTrust DataControl, CloudLink, or SafeNet—within all clouds or, alternatively, choosing a product like Vormetric DSM, which can protect data from all over.
Importantly, your data protection mechanism must be able to store its keys within the package as well.
Where do you store encryption keys and data?