Who should be responsible for a company’s encryption keys?

In the global market, businesses need to be able to communicate and share information freely and effectively with customers, employees and third-parties, yet regulations concerning data privacy are becoming ever more stringent.

Indeed, with the EU General Data Protection Regulation (GDPR) set to be enforced in just over a year’s time, it’s important that organisations consider a more robust approach to ensuring data privacy, or else risk being awarded potentially catastrophic fines.

Looking beyond the physical

Traditionally, businesses tend to control data by simply restricting its physical storage location; keeping all information on premise, and implementing policies to prevent it from being distributed.

>See also: Network security doesn’t just begin and end with encryption

More progressive businesses might also use new technologies to look beyond the physical location of encrypted data to the location of the point of control of encryption – its ‘logical’ location.

While keeping data on-premise can offer data owners peace of mind, and may help the business achieve a level of regulatory compliance, it is control over decryption keys that dictates who can see and use the information, rather than where it’s held.

Over time, as regulators and content owners come to accept this, the logical location of the data will become more significant, and the physical location(s) of an encrypted file will become increasingly irrelevant.

Taking control of the logical

By adopting this mindset, businesses will be able to keep control of valuable content even when it flows beyond the boundaries of their organisation. A shift of focus will allow them to manage and control the encryption keys that protect the content wherever it goes, implementing processes to manage, distribute and revoke access to the keys.

Some organisations are adopting key management practices, or customer managed keys (CMK), as a means of retaining control over their encryption keys and, in turn, their corporate information.

CMKs allow businesses to keep exclusive control of the encryption, ensuring that their data remains secure and under their control, regardless of where it’s located. For example, should the owner choose to disable access to the keys, it would become impossible for a third party service provider to decrypt the information.

>See also: Will WhatsApp trigger an encryption revolution?

And in addition to using CMKs, organisations are also able to take control of the logical location of their content by employing information rights management (IRM) technologies. By attaching encryption control to files so that they can be shared, tracked, monitored and revoked as needed, IRM offers plug-in-free security which travels with the document wherever it goes.

With IRM in place, a document can effectively ‘phone home’ to a central service and ask whether the person currently attempting to view or edit the content has permission to do so. If they don’t, then the keys won’t be shared, rendering the document useless.

By taking control of the encryption, IRM enables permission to be granted and revoked at will, effectively ‘shredding’ remote documents that need to be pulled back. It makes it possible to revoke and monitor access, as well as enforcing a time limit after which it’s impossible to view a document – even if it’s already been shared or downloaded.

A question of responsibility

Having decided to strengthen the security of its information by using CMK to control the point of encryption rather than focusing on the storage location of encrypted data, a business must then decide whether the responsibility for this should lie with its CIO, its legal department, or one of the new breed of data privacy officers.

The implementation of the GDPR is likely to lead to the creation of thousands of new data privacy officers in businesses across Europe, each tasked with protecting sensitive personal information as it moves within and outside of the organisational firewall. With this remit, they may become the appropriate owners for key management processes.

By retaining control over the point of encryption, data privacy officers can ensure compliance with the most stringent data privacy regulations, as well as making sure that their business is well positioned for any future shifts in the regulatory landscape.

However, as the use of cloud services continues to expand across the enterprise, CMK also offers an opportunity for the IT department to remain in control, even when core services are being delivered by external providers.

>See also: Encryption – what does it mean?

So, whether the central IT department remains in control of an organisation’s IT systems or it manages services provided by external companies, it may well become the place most capable of key management.

Otherwise, the legal aspect of the increasingly strict data privacy landscape may persuade companies to place their own legal department in charge of key management.

Alternatively, it may be outsourced to a law firm which might play the role of data protection adviser, providing a service of managing keys on behalf of a number of different clients, and handling any requests from external enforcement agencies requiring access to content.

Control and efficiency

The responsibility for managing encryption within a business can be influenced by a number of factors such as the organisation’s size, sector or scale; there is no one-size-fits-all approach.

It can be argued that whoever holds the ultimate responsibility for an organisation’s data should also take control of the keys which encrypt that data. In these cases, both CMK and IRM technologies offer the closest possible control to those who hold that responsibility.

Businesses faced with the combination of a rapidly evolving threat landscape and onerous regulatory overheads should employ the most secure and efficient method of controlling data without limiting productivity.

CMK and IRM are two such technologies that offer just this level of control and efficiency, while allowing businesses to prepare for whatever future regulations may ask of them.


Sourced by Richard Anstey, CTO EMEA, Intralinks

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...