Encryption: Whose keys are they, anyway?

Over the past year, encryption has been showing up in a number of unlikely places. It started when Google executive chairman Eric Schmidt proclaimed that encrypting everything is the answer to government surveillance.

Apple also hopped on the encryption train, prompting a standoff with law enforcement. More recently, the popular cloud storage service, Box, made encryption a centerpiece of its strategy to win over enterprise customers. In so doing, they also unveiled a significant feature, known as customer-managed keys – allowing their customers to have full control over the keys that play a critical role in the encryption of their data.

Other popular services, such as Salesforce.com and AWS, have taken a different approach and are managing the keys for the customer. Each provides its own advantages and disadvantages. But it does bring up an important question that organizations must answer: Whose keys are they, anyway?

Until now, key management – the processing, management and storage of keys for who can decrypt and access protected information – was an often-overlooked, and yet critical element of encryption. Many organizations left that part up to their vendors or stored them inconsistently across their IT infrastructure in both hardware and software. This lack of centralized control can jeopardize the integrity of encryption. In fact, the management of the keys is more important than the encryption itself, because if something happens to the keys, entire sets of data can be stolen or lost, and there’s nothing you can do about it.

The fact that major cloud heavyweights are diving into this technology is a sign that key management is being taken more seriously. And rightly so. The ability to demonstrate control of data is critical to meeting compliance mandates. But how do you really own your data if you do not have total control and ownership of the keys?

Salesforce has included important safeguards to its Platform Encryption in order to prevent any mishandling of the customers’ keys on their end. But at the end of the day, the keys cannot leave Salesforce. It may still not be enough for organizations facing strict security and compliance standards, but it is adequate and understandably appealing for a great many other organizations where good enough security is just good enough.

The alternative, and the route Box is taking, is to take the third party provider out of the equation and put the keys in the hands of the customer. While this may seem like a daunting, do-it-yourself approach, it actually makes sense if you need eliminate any chance of a vendor exposing your keys.

In real life, it would the same as asking, would you want your neighbor or landlord to be in sole possession of your house and car keys? Every time you have to get into either one, you need to contact your neighbor. And what if they lose them? With customer-managed keys, control goes back to the data’s rightful owner, and an external vulnerability is removed from the mix. This is the reason why organizations like Box are embracing customer-managed keys.

If this becomes a trend, it should not come without a warning; key administration is an involved practice that can create its own problems if done incorrectly. The basic tasks include key creation, rotation and deletion on a continuous basis. Each of these steps is, in itself, sensitive and time-consuming. Missteps can create new vulnerabilities, most notably the loss of keys resulting in permanent loss of data. For these, reasons, managing your own keys is a challenge many organizations don’t wish to take on.

Still, with all that said, it is encouraging that more and more high-profile services and organizations seem to be giving serious thought to the nuances of encryption, especially key management. Determining who should be in control of the keys to your most sensitive data is a critical element that is taking on a new place of prominence. In light of what seems to be an increasingly hostile threat landscape, even the average person is becoming more fluent in the basics of security, and customers are asking smarter questions. “Where are my keys?” becomes a sharp question rather than a sign of confusion.

High profile hacks are propelling encryption to the forefront, which is why we’re seeing more organizations publicly looking for the smartest way to address the “Whose keys are they, anyway?” question. No matter how they answer it, clearly-defined ownership and responsible management is the most important thing. It’s interesting to see this play out publicly, and ultimately everyone should benefit as some of our most well-known tech companies look for the best answer.