Protection of personal and sensitive data: how can companies better control it?

If the Cloud offers many advantages, the confidentiality of the data used there remains a central issue to promote its adoption. Their encryption is essential, but not sufficient.

To have complete control of their data, companies must learn to manage their cryptographic keys themselves. This control represents the most relevant response for companies to the problem of data security.

Data is a major challenge for companies. They have become the main fuel of any activity and often constitute a competitive advantage for those who know how to exploit them. But some data requires special attention: those of a personal nature and those that are sensitive. In order to comply with regulations and minimize the risk of data theft or leakage, organizations must put in place various organizational and technical processes.

An increasingly difficult challenge. Three dates have complicated data governance. In May 2018, the GDPR becomes enforceable. In October 2015 and July 2020, the Court of Justice of the European Union (CUJE) issued two major judgments, respectively Schrems 1 and 2, which reshuffled the cards in terms of the legal framework allowing the export of personal data. They ended the Safe Harbor and the Privacy Shield, two agreements between the United States and Europe to simplify transatlantic personal data exchanges, even if the EU standard contractual clauses (EU SCCs) remain a mechanism valid for transferring personal data outside of Europe, as recognized by the European Commission.

A big question

Data privacy regulations require that organizations collecting data remain responsible for its confidentiality and protection, regardless of any contractual or outsourcing arrangements. How can companies respond to this dilemma: benefit from the performance of the Cloud while ensuring the security of its information?

One solution is to encrypt personal and critical data. But beyond encryption (a practice far from being widespread*), it is the secure management of cryptographic keys that is crucial.

There are different key management methods: “Bring your own Key” (BYOK), “Hold Your Own Key” (HYOK) and “Bring Your Own Encryption” (BYOE). With the first two solutions, all data is encrypted by native cloud services. By default, cloud providers generate encryption keys and then manage the lifecycle of those keys for their customers.

Full control of your data

When you want to access your data, with BYOK and HYOK, the provider asks your key server to provide it with the decryption key. When the operation is completed, you can remove it. But during operations on this data, the provider has your key and can use it later. This is the weak point of these solutions which only ensure the governance of the keys but not the encryption which is ensured by native techniques.

For organizations hosting sensitive data in the cloud, this situation is not acceptable, as they must retain sole control and ownership of their keys to remain compliant with their internal security requirements as well as security regulations. GDPR type.

Hence the need to put in place strategies that allow companies to maintain full control over when and how their keys are used to access and protect their encrypted data.

Solutions exist on the market which consist of completely dissociating oneself from the supplier by relying on proprietary control and “Bring Your Own Encryption” (BYOE). It is an encryption key management system that allows companies to encrypt their data and retain control and management of their encryption keys.

One of them, resulting from a partnership, comes in the form of an encryption platform that complies with ANSSI recommendations, which prevents the supplier from accessing the encryption key and the method of encryption used. Companies thus retain full control over their data stored in the Cloud, but also over the encryption service provided by this platform.

This solution makes it possible to respond precisely to the problem of data security but requires great rigor in its implementation, the main risk being the loss of the key.

In conclusion, data encryption is crucial for cloud security. But this is not enough. Companies must be able to manage their own keys themselves. With BYOE and a sovereign control platform, organizations no longer have to worry about where their data resides.

*A Thales study published in June 2021 found that only 17% of companies encrypt at least half of their sensitive data in the cloud.

We would love to give thanks to the author of this write-up for this awesome material

Protection of personal and sensitive data: how can companies better control it?

Visit our social media accounts and also other pages related to them