With the global pandemic putting a crimp on in-store visits, companies are running specials that nudge more shoppers online this year. The increased online activity means hackers will be circling like sharks, which makes online retailers, e-commerce shops and distributed enterprises a target for security breaches, accidental or malicious.
Putting more data and apps in the public cloud presents more risk since the data is physically with the cloud providers. The major cloud service providers (CSPs) from AWS to Google understand this need for data-centric security and are investing in solutions like data encryption, key management services (KMS) and cloud hardware security module (HSM) services that make it easier to secure data while being the ultimate arbiter for access. The cloud-native encryption and key management capabilities are based on proven encryption algorithms, yet trusting the CSPs with both the lock (encryption) and key (encryption keys) is a non-starter for security teams.
How can retailers and related enterprises ensure their data in use, at rest or in transit will be protected and secure during this period of high e-commerce activity? The answer may be found in emerging technologies that protect identity and data for any environment–from private, public and hybrid clouds to multi-clouds and edge-to-cloud.
1. Manage identity and access with Zero Trust
Protecting employees who are more mobile and remote today requires security teams to adopt a zero-trust framework that never trusts but always verifies every user and data asset. Zero trust shifts security from traditional perimeter-based approaches to focusing on users, their identities and data as the foundation for a post-pandemic cloud economy and remote workforce.- Advertisement –
Adding more cloud apps and services ratchets up your need to deliver simplified, secure access. Identity services help by providing single sign-on (SSO) and other access management capabilities. But ensuring a good user experience doesn’t mean sacrificing security. Identity management is strengthened by using standards for authentication and authorization such as SAML, which defines how multiple computers share security credentials across a network. A key management system that supports all three–identity providers, single sign-on and SAML–enables organizations to use services such as OKTA and Microsoft ADFS to verify identities, protect users and simplify management while separating keys from encryption. With the flurry of logins and site access that is common to surges like holiday shopping, knowing who is really on your network is critical to ensuring your data is protected.
2. Use SaaS applications with Bring-Your-Own-Keys
Separating keys and encrypted data is critical. Keeping keys and data on the same CSP is like slapping a sticky note with your computer password on the monitor and hoping nobody notices. Enterprises can use an encryption technique called bring your own key (BYOK) to implement native encryption from CSPs while maintaining control of the keys, regardless of location or environment, even off-premises. If the content owner disables access to the keys, it’s impossible for any third party to decrypt the information.
Integrating BYOK with cloud-based applications allows you to continue to leverage software to power sales at peak times like Black Friday while improving visibility and control of sensitive data. Key managers that support BYOK for SaaS applications, such as Salesforce, allow you to encrypt customer and sales data in the cloud but retain ownership of the encryption keys, while monitoring access. If a breach occurred, you can revoke access to the data stored in the cloud. Exercising control in key management when consuming, storing or processing data in SaaS apps is a best practice for securing payments and other customer transactions that involve personally identifiable information (PII) in compliance with regulations like PCI-DSS and GDPR.
3. Extend BYOK with HSM integrations for cloud services
BYOKs may either be software-managed or stored in FIPS-compliant hardware security modules (HSM). HSMs are plug-ins or external devices that provide cryptographic keys for encryption, decryption and authentication of applications, identities and databases. Controlled by the CSP or on-premises at the customer’s site, HSMs are the gold standard for data protection, but they have a reputation for complexity and not supporting many key management functions and use-cases.
Cloud services that extend HSM with BYOK are providing more choice for organizations that want to combine their own HSM-backed encryption keys with public-cloud services. For example, Microsoft Azure customers can now use key management with Azure Key Vault External HSM. You create encrypted keys on-premises and transfer them securely to Azure Key Vault for Microsoft cloud-based apps such as Office365 and Sharepoint. You can also manage the keys throughout their lifecycle, including protecting, backing up, auditing and synchronizing the private encryption keys stored in the Azure Key Vault.
4. Implement Google Cloud External Key Management Program
Maintaining control over your encryption keys can also extend to Google Cloud. If you held back from moving data and workloads to Google for compliance requirements or because you weren’t comfortable with any third party handling encryption keys, the Google Cloud External Key Manager (EKM) API may be the answer.
Key management systems supporting the Google Cloud EKM API gives you complete control and ownership of encryption keys. Whether you’re bringing archive data or the most sensitive files and workloads into the Google Cloud, the keys reside on the external system. They will be provisioned to Google to encrypt or decrypt the data but are never stored or cached in Google. You can set up policies for usage and gain visibility on access, for instance, denying Google the ability to decrypt data. This adds flexibility of key and access control management and provides external key protection for Google services.
5. Investigate Confidential Computing for data-in-use
Data is primarily in three states: at-rest, in-transit or in use. The industry historically focused on protecting data at-rest (in storage) and in-transit (moving across the network). After years of being frustrated by storage and network protection for data in-transit and at-rest, the bad guys recently shifted their attention to data while its being processed in computer CPU and memory.
In response, cloud industry vendors like Microsoft and Google created Confidential Computing initiatives to help organizations secure their data in use and joined with other companies like IBM and Intel to establish the Confidential Computing Consortium. Confidential Computing protects code and data while its being processed, using techniques that create a Trusted Execution Environment (TEE), which prevent sensitive data getting processed from being exposed to the entire system. A Trusted Platform Module (TPM) chip carries out cryptographic operations directly inside the CPU and can create a TEE. Enterprises implementing Confidential Computing initiatives should look for external key managers that can take advantage of TPMs to add an extra level of data protection.
As more data and apps span multiple environments—from on-premises to public cloud to edge—organizations need protection controls that help safeguard sensitive intellectual property and workload data wherever the data lives. Alas, there is no single silver bullet. The answer is a smart, phased approach that combines external key management with encryption, BYOK, HSM and Confidential Computing to give users layers of security while doubling down on privacy and compliance. Together they offer confidence and control, the security gifts that keep on giving to organizations that are using cloud-based products and service providers to drive their growth.