Global Integration on Demand
(206) 838-5400
505 Fifth Avenue South, Suite 350
Seattle, WA 98104
Contact Us

Hubbub Blog

 
Contact Us

See how Hubspan can help solve your integration challenges.

verification image, type it in the box

* marks required field

 
 
Hubspan Connection
 
 

New Security & Compliance Updates

/

OWASP Top 10 - 2010

The Ten Most Critical Web Application Security Risks

Click here to read the complete data sheet

 
« Back to Hubbub Blog
Subscribe to Hubspan's RSS Feed

Cloud Security Basics: Encryption and Key Management

Posted by IanH on March 17, 2010

We’ve previously talked about the six things that every CIO should ask a vendor about cloud security, and today I want to talk specifically about encryption and key management. One of the most important questions you can ask your cloud provider is how do they plan on securing your data in the cloud and if they secure it when it is both in motion and at rest?

Data encryption is a hot topic, but often times folks forget to ask or specify where and how the data is encrypted. Even more important, how are the encryption keys secured and managed, meaning not only do you have a key structure, but where and how those keys are stored, audited, issued and revoked – covering the entire life cycle, from key instantiation through retirement.

Data Encryption

  • We all know that information needs to be encrypted to be secure, but not all encryption schemes are created equal. Not all data centers encrypt their data at rest or their backups or audit their data encryption process – we do. I’d argue that a truly secure system would take these considerations into account. Data in backups will likely stick around for much longer than the information that is currently on your servers.
  • I also recommend using a vendor whose cryptography conforms to the FIPS-140 security standard, which is the generally accepted industry standard.

Key Security

  • You need to know how their encryption keys are stored and secured. You can encrypt all of your data, but the encryption keys are the proverbial “keys to the kingdom” in your enterprise. A comprehensive security story must have a key security system in place.
  • A good article on the subject was written by Ulf Mattson for Global Security Magazine. He details many common strategies for managing key security.
  • To his article, I’d add the following:  It’s also good practice to ensure that no single person has access to the entire key.  Best practices call for splitting the knowledge of each key into 2 or more individuals – hence, to re-construct an entire key, you need all those individuals present for authorization. 
  • Furthermore, where the businesses practice requires that at least one person in the company has knowledge of the entire key (e.g. the CEO or Security Officer of the company), then procedures and processes should be in place to ensure that those individuals with the knowledge cannot access the data (i.e. they may have the key but you cannot get access to the lock to open it – hence, there is still a degree of separation).

Tags: , , ,

No Comments »

No comments yet.

Leave a comment

Business Integration
Solutions
Challenges
Partners
Company
Community

© 2010 HubSpan. All rights reserved.



Site by Portent, an internet marketing company