Information Security ‘Unquestionables’

There are several questions that today’s enterprises should consider when evaluating a cloud service provider’s customer managed encryption keys solution.


16 April 2015

Information Security Unquestionables

FierceBiotechIT spotlighted Big Pharma’s escalating IT security risks. Pfizer, in its updated U.S. Security and Exchange Commission (SEC) filings, disclosed that its “systems are subject to frequent attacks” and Merck has acknowledged that it “has been the target of events of this nature and expects them to continue." These activities are referred to as the ‘new normal’ in cybersecurity and companies are investing heavily in security in attempts to mitigate risk.

What security technologies should companies invest in? Gartner references encryption as one of the “unquestionables” among the essential technologies and practices that constitute information security. More specifically, Forrester Research reports that clients are asking for recommendations on offerings that encrypt data before it hits cloud services and lets enterprises control their own encryption keys.

Many players, from enterprise giants to smaller companies declare that they give their customers full control of the encryption keys, also known as Customer Managed Keys (CMK). What is less easy to implement is a CMK solution that is married with an appropriate security practice and methodology. As companies begin to realize the importance of owning and managing the encryption keys used to protect their data in the cloud, the important question is — how is that control implemented?

There are several questions that today’s enterprises should consider when evaluating a cloud service provider’s customer managed encryption keys solution:

  1. Can the customer login directly to the appliance that houses the keys and suspend the key without provider’s help or knowledge, if needed?
  2. How is customer authentication to the hardware security module managed?
  3. Is there any provider software in the middle that can be compromised and leak the keys?
  4. Keys need to be rotated. What happens to data at the time of key rotation?
  5. Do I need to wait for re-encryption of terabytes of data with the new key?

Arguably, if the chosen managed keys solution cannot provide these capabilities it may fall short of many enterprise requirements for compliant storage of that company’s most valuable information assets. Join the discussion here. 



Shelley Bakst

Shelley Bakst

Shelley Bakst is the Director of Analyst Relations at Intralinks. She has more than 25 years of experience leading successful corporate communications functions across global companies, SMBs, start-ups, and agencies.