Who Should Be Responsible for Encryption Keys?
27 February 2017
With the General Data Protection Regulation (GDPR) coming into force in May 2018, organisations must now consider a more robust approach to data privacy – or risk potentially devastating fines.
The problems with defining data location
The traditional approach to control data is simply to restrict its physical storage location – to keep all information on-premise and implement rules to prevent its distribution. The downside of this is, these controls prevent and frustrate the very business processes that could realise the value of the information.
Keeping data on-premise, or within a specific region, gives data owners peace of mind and may help demonstrate a degree of regulatory compliance. The technological reality, however, is that control over decryption keys – not where it is stored – dictates who can see and use the information.
Gartner takes a view that the physical location of data will be increasingly irrelevant by 2020, and is set to be replaced by a combination of location criteria that take into account legal, political and logical concerns. Over time, the ‘logical’ location of the data becomes more significant, as regulators and content owners come to accept that the physical location of a sufficiently encrypted file is irrelevant – access to the encryption keys is what counts.
The power of encryption – and controlling the ‘logical’ location
Those businesses that follow this train of thought are able to keep control of valuable content without preventing it from flowing beyond the boundaries of the organisation. They shift their focus to managing and controlling the encryption keys that protect their content wherever it goes and implement processes to manage, distribute and revoke access to the keys.
Some organisations are embracing key management practices – also known as Customer Managed Keys (CMK) – to retain control over their encryption keys and thus their data. By keeping exclusive control of the encryption, businesses can ensure their data remains secure and under their control, regardless of physical location. Any intermediate service provider becomes unable to decrypt the data if the owner chooses to disable their access to the keys.
Taking ownership of encryption
When a business has decided to strengthen data security by using CMK to control the point of encryption instead of focusing on the storage location of encrypted data, the next challenge is to decide where in the organisation that responsibility should lie. The CIO, a chief privacy officer, the legal department: there are many potential options, but who should take that responsibility?
The chief privacy officer
Once the GDPR is in full force, there will be thousands more data privacy officers in Europe, tasked with protecting personally identifiable information (PII) as it moves within and beyond the organisational boundary. With these new roles set up to focus on privacy and the protection of data in general, they may become the right owners of key management processes and the control points to drive compliance.
The IT department
Whether the central IT department remains in control of IT systems or manages services provided by other companies, IT may well become the most capable home for key management. As cloud service use expands across the enterprise, CMK offers an opportunity for the IT department to remain firmly in control even when core services are being delivered externally.
The legal team
The legal aspect of the increasingly stringent data privacy landscape might persuade companies to either place their own legal department in charge of key management or outsource it to a law firm. In this arrangement, the law firm might play the role of data protection adviser, providing a service of managing keys on behalf of multiple clients.
So, who should be responsible for customer-managed encryption keys?
There is no-one-size-fits-all approach to managing encryption across a large organisation. Many factors may influence the right ownership model, depending on the sector, size and scale of the organisation.
One line of reasoning is that whoever currently holds ultimate responsibility for data in the organisation should also take control of the keys that encrypt that data. Rather than focusing too closely on where data is stored, emphasis should move to aligning responsibility for the data with responsibility for the keys. CMK technologies offer an opportunity to ensure those with responsibility for corporate data have the closest control possible.
Richard Anstey serves as Intralinks’ Chief Technology Officer for Europe, Middle East, and Africa. Mr. Anstey joined Intralinks after serving as Chief Architect at OpenText, where he was responsible for the technology evolution of the company’s full information management portfolio including innovation and technical due diligence on acquisitions. During his time at OpenText, Mr. Anstey led the global product management team as it passed the USD 1 billion revenue threshold and has over 15 years of Information Management experience.