Who is Responsible for Encryption Keys?

Written by

The privacy and security of corporate data is under threat as never before. Businesses today are faced with a growing variety of security threats and, as a result, an increasingly stringent data privacy movement.

It goes without saying that in today’s global market, businesses need to be able to communicate and share content freely and effectively with employees, customers and third-parties. With the General Data Protection Regulation (GDPR) coming into force in May 2018, organizations must now consider a more robust approach to data privacy or risk potentially devastating fines.

Keeping data under control

The traditional approach to control data is simply to restrict its physical storage location – to keep all information on premise and implement rules to prevent its distribution. However the downside of these controls prevent and frustrate the very business processes that could realize the value of the data in a connected world.

A more progressive business must also look beyond the physical location, using new technologies to focus not on the physical location of encrypted data, but on the location of the point of control of encryption – otherwise known as its ‘logical’ location.

Keeping data on-premise, or within a specific region, gives data owners peace of mind and may help demonstrate a degree of regulatory compliance. The technological reality, however, is that control over decryption keys, not where it is stored, is what dictates who can see and use the information.

Gartner takes a view that the physical location of data will be increasingly irrelevant by 2020, and is set to be replaced by a combination of location criteria that take into account legal, political and logical concerns. Over time, the ‘logical’ location of the data becomes more significant, as regulators and content owners come to accept that the physical location of a sufficiently encrypted file is irrelevant – access to the keys is what counts.

The power of encryption – and controlling the ‘logical’ location

Those businesses that follow this train of thought are able to keep control of valuable content without preventing it from flowing beyond the boundaries of the organization. They shift their focus to managing and controlling the encryption keys that protect their content wherever it goes and implement processes to manage, distribute and revoke access to the keys.

Some organizations are embracing key management practices – also known as Customer Managed Keys (CMK) - to retain control over their encryption keys and thus their data. By keeping exclusive control of the encryption, businesses can ensure their data remains secure and under their control, regardless of physical location. Any intermediate service provider cannot decrypt the data if the owner chooses to disable their access to the keys.

Alongside CMK, Information Rights Management (IRM) technologies can also contribute to an organization’s ability to take control of the logical location of their content. An IRM protected document can effectively ‘phone home’ to ask if the person currently attempting to view or edit the content has the permission to do so.

If the central service says no, the keys are not shared and the document remains useless. Permission can be granted and then revoked at will by taking control of the encryption – effectively enabling remote shredding of documents that need to be pulled back.

By attaching encryption control to files so that they can be shared, tracked, monitored and revoked as needed, IRM offers plug-in free security which travels with the document wherever it goes. It makes it possible to revoke and monitor access as well as enforcing a time limit after which it’s no longer possible to view a document – even if it’s already been downloaded or shared.

Taking ownership of encryption

When a business has decided to strengthen data security by using CMK to control the point of encryption instead of focusing on the storage location of encrypted data, the next challenge is to decide where in the organization that responsibility should lie. The CIO, a Chief Privacy Officer, the legal department: there are many potential options but who should take that responsibility?

The Chief Privacy Officer

Once the GDPR is in full force, there will be thousands more data privacy officers in Europe, tasked with protecting personally identifiable information as it moves within and beyond the organizational boundary. With these new roles set up to focus on privacy and the protection of data in general, they may become the right owners for key management processes and the control points to drive compliance.

With the ongoing industry-wide shift to cloud services, privacy officers will be well aware that the business depends on both a supply chain and customers which span the globe – covering a range of jurisdictions. Keeping control of the point of encryption can ensure compliance with the most stringent data privacy regulations around the world, as well as making sure the organization is well placed for future shifts in the regulatory landscape.

The IT department

Whether the central IT department remains in control of IT systems or manages services provided by other companies, IT may well become the most capable home for key management. As cloud service use expands across the enterprise, CMK offers an opportunity for the IT department to remain firmly in control even when core services are being delivered externally.

The legal team

The legal aspect of the increasingly stringent data privacy landscape might persuade companies to either place their own legal department in charge of key management or outsource it to a law firm. In this arrangement, the law firm might play the role of data protection adviser, providing a service of managing keys on behalf of multiple clients. In this way, any external enforcement agency requesting access to content could be re-directed to the external law firm to make their case for access to the keys.

So who should be responsible for customer-managed encryption keys?

There is no-one-size-fits-all approach to managing encryption across a large organization. There are many factors that may influence the right ownership model depending on the sector, size and scale of the organization.

One line of reasoning is that whoever currently holds ultimate responsibility for data in the organization should also take control of the keys which encrypt that data. Rather than focusing too closely on where data is stored, emphasis should move to aligning responsibility for the data with responsibility for the keys. Both CMK and IRM technologies offer an opportunity to ensure those with responsibility for corporate data have the closest control possible.

Faced with both a rapidly evolving threat landscape and onerous regulatory overheads, businesses should be looking for the most secure, efficient method of controlling data without limiting productivity. CMK and IRM are powerful technologies that can be deployed by those businesses preparing for whatever future regulations may hold.

What’s hot on Infosecurity Magazine?