Encryption Done Right – Why Segregation of Duties Matters

*Danny flies off with the dragons to scout the enemy line-up*
Jon- Do you think that was a good idea?
Tyrion – Put our two remaining dragons on a scouting task? Not sure!
Jon – But they’re dragons, they are invincible right?
*Dragon plops into the sea with a big splash*

When it comes to protecting their crown jewels, many businesses tend to view their cloud services like the proverbial dragon – indestructible. IT administrators may mirror Danny’s lack of judgement at times, when they underestimate the power of a cyber-attack or fail to have a backup strategy.

Irrespective of size or industry, cloud adoption is becoming commonplace. Companies are investing more into cloud-based services than they did in 2011. Companies could be spending upwards of $277B by 2021 says IDC after recent research. Reportedly, 86% of companies spend at least part of their IT budget on cloud services.[1] With the increase in adoption, the question about data security in the cloud is a question we find ourselves answering often.  The daily estimate of the bytes collected by Data Controllers (read Businesses) the world overruns into more zeros than one can count. With regulations like GDPR putting Data Controllers on the hot-seat[2], the price to pay for data breaches or losses has become dearer.  The regulatory penalties aside, the negative PR fallout makes companies wary of going all-out on cloud adoption.

Some argue the cloud is perfectly secure – perhaps more so than several on-premise data rooms that businesses maintain.  And they do have a point.  A subtlety that is lost here, and is seldom brought out, is the fact that what makes businesses uncomfortable about the cloud is not so much Security, as it is Privacy.  Privacy and security may have some things in common but are actually quite different concepts.  Security can best be thought of as a form of defense.  Privacy is more about control and the freedom to make decisions about what one wants to reveal.

Privacy and Security

One common argument that a lot of privacy advocates encounter is that privacy matters only to people who are secretive or have something to hide.  In fact, Google’s then CEO Eric Schmidt infamously once said: “if you have something that you don’t want anybody to know, then you shouldn’t be doing it in the first place”.  But this is a flawed argument because it confuses privacy with secrecy.  The basic human need for privacy isn’t born out of a need to keep a secret, so much as the need to control what information we desire to share and with whom.  For example, when we go into a bathroom, we close the door for privacy – not for secrecy.

There are a few reasons why privacy matters in the digital age where enterprises are increasingly storing data in the cloud.  For one, what may seem like disconnected pieces of information can be pieced together to know things about businesses that they didn’t intend to share in the first place.  Secondly, what one may consider okay to share today, may not be something they consider OKAY to share down the road – but once data is in the cloud, the lack of control makes it virtually impossible to go back and change your mind.

Security gets a lot of attention, but Privacy is seldom discussed and is many times an afterthought.  Interestingly encryption is still the enabling technology to achieve both – which makes this all the more confusing for the typical IT manager.  Most vendors offer to encrypt data – and they do. While encryption by itself makes the data secure, unless the Data Controller/Business has sole control over the encryption keys, it’s not really private.  And therein lies the Achilles heel to most cloud-based storage offerings.

Separation of Duties (Segregation of Duties)

In the physical world, as a society, we have surmounted this problem already.  The best analogy is a safe deposit box one rents in a bank.  One may use the bank’s premises to keep valuable belongings – just like one may use the cloud to store valuable business data.  But when one rents a safe deposit box, they also have the option to lock it and bring a key back with them – thus preventing unauthorized access.   This simple concept is called a Separation of Duties or a Segregation of Duties (SoD). It is a risk management and security measure that ensures no two parties can perform the same part of a critical process or function. When one pairs SoD with encryption, data is not only secured, it also becomes protected and private.

A good service provider must be able to put segregation of duties into action and create a digital vault that is not only secure but also private. One that really walks the talk when it comes to the privacy of your data. It should be a solution that offers you full control over the encryption process, the encryption keys, and audits, all accesses.

When looking for a credible service for cloud security, ask the hard questions.  It is your data after all!

[1]                      Cloud Security Alliance

[2]                      Person/company collecting the data