Compliance regulations were developed to provide enterprises with a framework for keeping sensitive and confidential data secure. However, being truly secure and being compliant can be two very different things. Encryption key management is one crucial way to bridge this gap.
Just because an organization is compliant does not mean it is secure. The definition of being secure varies across organizations, industries, and threat profiles. Because of this, security and compliance have developed an unusual relationship. Since laws and regulations evolve slower than technology, compliance regimes don’t envision many new technologies. Many security leaders quote the “compliance is not security” cliché but then eventually look at external mandates to unlock budgets or decide on controls to execute.
Encryption Needs Good Key Management
Even though recent advances in technology made encryption all-pervasive, enterprise key management still remains a big challenge for many companies.
Encryption for effective security – that stops real threats – depends on solid key management. It’s plausible that the encryption usage of a company may be compliant with the mandates they need to adhere to, but the key management may not resist the threats from cyber criminals interested in the company data. Therefore, while regulations may not force a company to use key management to protect their data, the ever-growing threats might.
Cloud Key Management
The cloud has emerged as a new environment that needs to be secured and is also an enabler for new security mechanisms.
Today, it has become crucial for key management to scale with the cloud – availability, latency, and cloud services integration are necessary to fulfilling the potential of the cloud, but conventional appliance HSMs were not created for the cloud age. Moving to cloud HSM from data centers addresses these concerns, enabling security, compliance, and cloud agility.
The tools and methods that were traditionally used to complete a compliance assessment in an on-premise context may not translate directly to the cloud. Over time, new regulatory concerns may come up, and beyond compliance, the actual threats will also have shifted.
Despite the delay in the evolution of compliance frameworks, utilizing simplified key management capabilities in the cloud to construct key management governance can lead to enhanced security.
Here are some of the important points to keep in mind about encryption key management:
- Even though compliance may compel an enterprise to encrypt, threats compel them to opt for encryption and key management. Enterprises should not just focus on the compliance mandates; they need to focus on their threat assessment results as well when implementing key management and encryption.
- It is key management that makes encryption an effective control, not just for compliance but also for security. Encryption can deliver trust, but only if key management is done in a transparent manner and the keys are kept away from threat actors.
- When shifting to the cloud, enterprises must deploy the controls to eventually balance their security requirements and compliance demands while also achieving the cloud agility crucial for the business.
- Enterprises must use hardware-based encryption when extremely necessary because of a specific mandate or a specific threat assessment result. Likewise, they need to take control of the key if the regulations or their threat profiles suggest that this is needed for higher trust.
- At the same time, enterprises must also assess whether the scalability and cost benefits of software-backed keys eclipse outdated requirements to use hardware-backed keys stored on a system they own and operate.