The challenge of shared responsibility in the cloud – Whose keys are they, anyway?

By Sebastien Pavie, VP Data Protection Products, Southern EMEA at THALES

Key management – the processing, management and storage of keys for who can decrypt and access protected information – is an often-overlooked, and yet critical element of encryption. Many organisations left that part up to their vendors or stored them inconsistently across their IT infrastructure in both hardware and software. This lack of centralized control can jeopardize the integrity of encryption. In fact, the management of the keys is more important than the encryption itself, because if something happens to the keys, entire sets of data can be stolen or lost, and there’s nothing you can do about it.

The fact that major cloud heavyweights are diving into this technology is a sign that key management is being taken more seriously. And rightly so. The ability to demonstrate control of data is critical to meeting compliance mandates. But how do you really own your data if you do not have total control and ownership of the keys?

 With every passing day, an increasing number of organisations are migrating their sensitive data and business applications to the cloud for operational flexibilities, cost efficiencies and quick scalability. To avoid vendor lock-in on a single cloud service provider (CSP), like Microsoft Azure, AWS, Oracle Cloud, and IBM Cloud, many organisations are opting to work with multiple CSPs in a multi-cloud environment.

As an increasing amount of critical data gets stored in the cloud, the prospect of cyber-attacks and data breaches rises exponentially. While most CSPs offer native data protection features, the “Shared Responsibility Model” dictates that the ultimate onus of safeguarding business and customers’ sensitive data rests with organisations. While there is a shared responsibility to secure data in the cloud, there is no shared liability and the impact of potential security incidents jeopardising sensitive data remains the responsibility of the company and it is the company’s responsibility to ensure compliance with the relevant privacy regulations such as the GDPR, the Schrems II ruling, PCI-DSS, HIPAA or CCPA.

While organisations are increasingly investing in perimeter security mechanisms, they fail to adequately invest in encryption technologies that act as the critical line of defence in the event of a cyber-attack. This is evident through the ever-increasing incidents of sophisticated cyber-attacks that result in data breaches costing organisations billions in losses.

To minimise the impact of potential security incidents and to optimise sensitive data protection, security and privacy regulations like GDPR, PCI-DSS, HIPAA or CCPA mandate the adoption of encryption.

However, merely encrypting sensitive data in the cloud is not sufficient. The Cloud Security Alliance recommends as an industry best practice for storing information in the cloud to put the customer in control of both the key management and the encryption process. Effectively managing the key lifecycle and being crypto-agile is paramount for establishing trust in the confidentiality, integrity, and availability of your data.

To that extent, the EU Cybersecurity Agency (ENISA) points out that client-side encryption is the only way to provide the customer with true control over their data, while mitigating the risk of an unauthorised access by third parties. NIST SP 800-144 adds that organisations should be “in control of the central keying material and configure the key management components for cloud-based applications.”

Barriers to multi-cloud data protection

When it comes to cloud security and efficient key management, there are a number of major pain points organisations face today that prevent them from taking full advantage of the potentials offered by cloud platforms.


  1. Lack of visibility into security and encryption practices. With CSPs providing limited visibility and access on encryption practices and schemes, organisations’ risk management teams are reluctant to allow the storage of sensitive and mission critical data in the cloud due to high impact in case of a data breach.
  2. Meeting compliance requirements. Security and privacy regulations mandate the use of state-of-the-art practices for securing the confidentiality and integrity of personal and sensitive data, requiring agility and strong control over key management. Lack of such controls entail big regulatory penalties.
  3. Managing encryption keys across multiple cloud environments. Organisations are embracing multi-cloud strategies to avoid vendor lock-in. The use of cloud-native encryption and key management solutions is a barrier to multi-cloud adoption.
  4. Custodianship of encryption keys. When organisations elect to use cloud-native encryption services, the corresponding keys are being managed by the providers. Not having direct control on the keys presents potential risks and vulnerabilities in the case of a security or cryptographic incident.
  5. Managing, monitoring, and deploying multiple cloud native security tools. Since cloud-native key management services offer limited ability to automate the lifecycle of encryption keys, especially across multiple subscriptions, organisations are forced to implement labour-intensive, error-prone manual key management processes to meet their security requirements.
The right approach to cloud data protection

Lack of proper security and key management practices in a multi-cloud environment will only increase the organisation’s attack surface, with cybercriminals eager to take advantage of it as they get smarter and more sophisticated. Luckily, there are many industry best practices, such as Bring Your Own Key (BYOK), Bring You Own Encryption (BYOE) and centralised and automated key lifecycle management that can optimise data protection in the cloud.

With cloud providers being responsible for the security “of” the cloud, and organisations having responsibility for the security of their data “in” the cloud, every CISO should ask the five pertinent questions below:

  1. How do I maintain strong security controls of my cloud assets?
  2. Post-migration, what key management controls do I need?
  3. How do I manage my personal and sensitive data risks?
  4. How do I manage my audits?
  5. How do I meet regulatory compliance?

Cloud security is important for your business prosperity. Thales’s multi-cloud security solutions offer a cohesive answer to each of these questions. Please visit our website for more information.

Previous ArticleNext Article


The free newsletter covering the top industry headlines