KISS of Encryption

Encryption sounds incredibly complicated since it does encompass advanced algorithms and cryptography, but encryption key management can be very simple and strong once you get past the industry language.

Cloud Security Alliance and NIST

The Cloud Security Alliance and NIST (the National Institute of Standards and Technology) both featured encryption key management in the September Interagency Report.

Per the Cloud Security Alliance "Strong encryption (e.g., AES-256) in open/validated formats and standard algorithms shall be required. Keys shall not be stored in the cloud (i.e., at the cloud provider in question), but maintained by the cloud consumer or trusted key management provider."

NIST also reports " all architectural solutions where cryptographic keys are stored in the cloud, there is a limit to the degree of security assurance that the cloud Consumer can expect to get, due to the fact that the logical and physical organization of the storage resources are entirely under the control of the cloud Provider."

It sounds complicated, but encryption key management can be greatly simplified by focusing on “control” and “strong encryption (e.g., AES-256).”

Direct Control of Encryption Keys

At the most basic level, controlling encryption keys is an extremely simple and effective way to secure data. If the data owner controls the encryption keys, the only way to decrypt and use the data is to obtain encryption keys directly from the owner. If the owner maintains and controls the keys, security risks decline dramatically.

Direct control of encryption keys also helps maintain compliance responsibility and enforces best practices for securing encrypted data through the additional elements of invisibility, persistency, and strength.

Invisibility Element

Optimized encryption should be invisible to the user. If the user is unaware of encrypted security measures, there is no motive to pursue alternative access.

Persistency Element

Encryption must be persistent. Whether the data is in transit, in use, or at rest, encryption must be applied.

Strength Element

Encryption must be strong. If encryption is broken too easily, controlling the keys can’t be effective. As such, the 256-AES algorithm should be standard.