As the Government continues to migrate to the cloud it becomes critical to integrate stronger security into its operations. Cloud and data security must go together. While cloud computing provides valuable IT architectures and solutions for government agencies, it also requires them to relinquish data security to public cloud service providers.
Using the services of a cloud service provider does not guarantee separation of duties with respect to data storage, data encryption or key management, even though that separation is one of the bedrocks of true data security. The agency that owns the data has no way to know who has seen it in an unencrypted state or how many people have access to the encryption keys. In short, a government agency that relies on a CSP to encrypt its data and store and manage the keys has only the insight and control over its data security that the CSP lets it have.
And agency leadership is now responsible if their data is breached or otherwise compromised. There is no excuse if the data security task was assigned to a third party. The Cloud Security Alliance (CSA) has developed a set of guidelines specifically for data owners such as Federal Agencies to highlight the need to define roles and responsibilities for both CSPs and data owners. Per these guidelines, the CSPs remain responsible for securing, managing and monitoring their environment and facilities. However, data owners also retain the responsibility to protect their data in the cloud.
The CSA suggests that the best way to protect data in the cloud is for data owners to encrypt data before handing it over to a CSP and to retain control of the encryption keys. Following these guidelines ensures that data security remains under the control of the agency that owns the data. (Rather than the external CSP, its employees, vendors, consultants, subcontractors or anyone else who can gain access via the CSP.) This substantially reduces the agency’s risk exposure.
Effective key management is critical to controlling and maintaining data security whether a data owner encrypts before data goes to the cloud. QuintessenceLabs eases this burden by harnessing true quantum random number generation to provide advanced key and policy management and encryption capabilities.
Sensitive data will always be at risk whether stored in the cloud or on premises. FedRAMP decreases cloud security risks by ensuring that the CSP provides a basic set of functionalities, but it does not eliminate the risk. Implementing strong encryption and key management standards remains the responsibility of the Federal Agency that owns the data.
Latest posts by Marty Meehan
- The Entropy Problem: Random Data and Secure Cryptography - July 30, 2018
- QuintessenceLabs is Named a Tech Pioneer for 2018 - July 16, 2018
- QuintessenceLabs Introduces Stronger Key Management Appliances - January 31, 2018