Who owns your company’s encryption keys?


It’s a fact of life that most people ignore the small print in any documents they receive. Usually it’s simply the instructions to the latest household gadget, but the tendency can cause major issues when it comes to important documents like a mortgage application.

Unfortunately, this habit is also all-too-common in the business world as well, and can have much greater consequences – especially when data, privacy, and security are involved. Smaller organisations often lack the time or expertise to tackle every single element of their terms and services.

One of the most common examples of terms and conditions being overlooked is the signing of new third-party providers, especially with the huge proliferation of cloud-based services for every business need available.

However, with both the incidents of data breaches and the potential impact of them increasing, many companies are leaving themselves vulnerable by skipping the fine print.

>See also: Will WhatsApp trigger an encryption revolution?

When leveraging the cloud to allow seamless collaboration, most businesses have little idea that many cloud providers retain possession of ways to access that data.

While most businesses believe that if the files are encrypted they are in full control of their own data, using some third-party cloud service providers may very well mean that a firm with custody of the data is capable of leveraging it.

While most cloud hosts are perfectly trustworthy, third parties with privileged access are one of the greatest potential sources of insider data theft.

Another area of concern for many firms is that, if requested by an external mandate, such as security intelligence agencies or enforcement agencies, a third-party host would be able to provide access to all data, without their knowledge or consent.

With the UK’s Investigatory Powers Act now in force, there will be increasing pressure for providers to give up access to the data they store and manage on behalf of others – potentially without the organisation being aware.

The new bill has also introduced what they call a “double lock” for all interception warrants. This means that following Secretary of State authorisation, the warrant (and all other warrants) must also be authorised by a judge – but notification of the owner is less clear.

Keys to the kingdom

Particularly in the currently heightened atmosphere of cyber threats, enterprises are trusting several “flavours” of encrypting data to ensure information is only accessed by those who should have access to it.

When thinking about data encryption, companies must ensure that only they have access to the keys that enable the decryption of such data, thus resting assured that no other entity can access their data without permission.

This is a problem particularly for small to medium-sized enterprises that may not have advanced IT knowledge to understand how data should be handled in terms of retention and disposal for example, let alone knowledge of encryption.

Also, most companies would have a very difficult task identifying and protecting everything on their system accurately. To ensure files are secure, organisations should also use data classification.

>See also: Network security doesn’t just begin and end with encryption

Classifying data upstream enables companies to better reason with the subset of data that contains intellectual property and personal identifiable information. A strong suite of data classification software makes this process simple by automatically assigning the right security classification using a variety of different identifying factors.

The “flavour” of encryption granted to the data is driven by the classification, allowing the enterprise to rest assured that wherever the sensitive data travels it is protected with file level encryption and/or digital rights management which allows to administer the access rights to the data file itself, independently of where the data resides.

Proofing against regulations

Classification driving encryption is the ultimate line of defence against new regulations such as the General Data Protection Regulation. If an organisation is in complete control of how its data is accessed, it can be sure the data is always safe, regardless of where it is stored and managed. Many organisations are not aware that they are responsible for the secure storage of sensitive information even if it is stored with a third party.

All organisations need to ensure that any files they own are encrypted and classified to ensure only those who have permission can access them. Now more than ever, no company can afford to ignore the small print when it comes to data storage and security. Doing so may make all the difference in keeping their data safe.


Sourced from Rui Biscaia, director of product management, Watchful Software

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics