Don't Let 'Spooks' Get Your Cloud Data
Lesson from National Cyber Security Awareness Month: Keys are the key, and keep it simple.
This is the 10th anniversary of the Department of Homeland Security's National Cyber Security Awareness Month. Is it coincidence, or did DHS choose October on purpose? I ask because security has certainly gotten scary lately. Whether it's attackers stealing Adobe's customer data in a series of sophisticated assaults or the NSA gaining access to cloud data, it seems each day we're reminded that protecting our information and privacy from cyber threats demands constant vigilance. While security is a complex system, like most everything else in life, if you can keep it simple, it's easier to manage.
With the current slate of headlines putting the spotlight on cloud data security, two prominent organizations in that sphere recently issued updated best practices for protection of data stored and processed in third-party clouds. The common link: encryption.
In both the Cloud Security Alliance's updated Cloud Control Matrix and the National Institute of Standards and Technology (NIST) September Interagency Report, encryption key management, in particular, features prominently:
"Strong encryption (e.g., AES-256) in open/validated formats and standard algorithms shall be required. Keys shall not be stored in the cloud (i.e. at the cloud provider in question), but maintained by the cloud consumer or trusted key management provider." -- CSA CCM v3, Encryption & Key Management "...in all architectural solutions where cryptographic keys are stored in the cloud, there is a limit to the degree of security assurance that the cloud Consumer can expect to get, due to the fact that the logical and physical organization of the storage resources are entirely under the control of the cloud Provider." -- NIST Interagency or Internal Report 7956 (September 2013).... Read full story on InformationWeek
Post a comment to the original version of this story on InformationWeek