Is Encryption Enough? A CISO Perspective

At UKCloud we encourage an open dialogue with our existing customers, our potential new customers and our internal colleagues. And as our CISO, I have an open-door policy to all-things security, whether that’s incidents, risks, or answering the many questions I receive each day.

Since the publication of the UK Government’s Department for Digital, Culture, Media and Sports (DCMS) statement, where new measures to enhance the security of digital supply chains and third-party IT services are under consideration, there has been an abundance of questions.

Encryption has become a very hot topic, so here’s a run-down of the most frequently asked questions.

 

Q: Should I bother encrypting my development and test environments?

A: An interesting question with a simple answer - yes. Consider that many organisations simply move their developed software/applications/fixes through their route-to-live into their test environment. Then once the test cycles are complete – they go through to acceptance, pre-production, and production. Usually, the pre-production phase is when organisations begin to think about encryption, and what they should encrypt. It is also at this stage that they begin to understand, and feel, the impact that encryption can have on the performance of their software/applications/fixes. It’s for this reason that encryption should be considered at the early stages of the lifecycle.

 

 

Q: My current cloud provider tells me my data is encrypted and secure in their many data centres across the globe, and although I don’t know where my data physically is, they’ve told me not to worry. Should I be worried?

A: This is a common concern. Here at UKCloud our customers can rest assured that no data (customer and internal) ever leaves our shores. We are a UK sovereign cloud provider and can guarantee your data is either stored in the Ark data centre in Farnborough, or the Ark data centre in Corsham. For those customers who require their applications to operate in active-active mode, the data will reside in both data centres.

However some organisations do not consider the importance of where their encrypted data resides, or who has access to it…

Consider the following scenario: A potential customer has been using a video interviewing platform, on which a candidate must show a form of identification to their computer’s camera. That identification, along with the candidate’s answers to pre-recorded questions, are encrypted and stored somewhere in Southeast Asia. Further, the staff from the video interviewing platform are not security cleared.

With identity theft in mind, I would ask if potential candidates knew their data was being held overseas? I would then ask what the company’s legal position would be if identity theft occurred due to data being held in Southeast Asia? What is the company’s position about using non-security vetted staff? And who has access to the encryption keys used to encrypt the data?

This scenario shows the importance of knowing your legal position should customer data, that is in in your care, leak from your organisation. Not only that, but it also stresses the importance of understanding who can access your encrypted data, who has access to the encryption keys, and where the keys are stored.

 

Q: I have sensitive data that I wish to extract from my data warehouse and interrogate. I will encrypt that data, transfer to the staging area, and interrogate using ‘R’. My data is encrypted in transit and at rest. Am I protected by using these measures?

A: Not exactly. Your financial data will remain encrypted whilst it is in transit, and again whilst at rest, but it will not be encrypted whilst you perform operations on the data. You need to be extra careful during these operational times as your data is potentially vulnerable.

 

Q: Do I need to be concerned about the GDPR views on data encryption in a post-Brexit world?

A: UKCloud adheres to the NCSC Cloud Security Principles, of which data encryption, both at rest and in transit, plays a major part. But we also consider the practice of encrypting data as part of our commitment to ‘do the right thing’ namely, why wouldn’t our customers encrypt their data?

When data is stolen, if the data is encrypted and the encryptions keys are uncompromised, the data itself is useless to the criminal.

In answering the question specifically, GDPR explicitly mentions encryption in several articles as one of the security and personal data protection measures. Though GDPR encryption is not mandated, we follow their best practice and strongly advise organisations do so.

 

Q: Should I encrypt all of my data?

A: An ‘encrypt all’ policy is certainly not a bad approach. However, those organisations who have vast amounts of data will often have an abundance of duplicate data which doesn’t warrant encryption. Some cloud providers charge for encryption as an additional cost, as such, a blanket ‘encrypt all’ policy can really hit an organisation’s OPEX budget.

Here at UKCloud, we advise our customers to classify their data, to ascertain what is important to them as an organisation. This means identifying the data they must protect to meet data sovereignty, data residency, and regulatory requirements, and the data they can consider as ‘noise’.

 

Q: Now I have encrypted my data, can I sit back and relax?

A: Definitely not! Encryption requires a constant understanding of the management of the encryption keys, and where they are stored.

Some organisations leave the keys to their current cloud provider, perhaps if they are a start-up and/or are too busy to worry about key management. Unfortunately, it is a simple fact that there a vast number of companies who fall short when it comes to the importance task of key management.

At UKCloud we never take ownership of a customer’s encryption keys, instead we seek to advise where and how to store the keys. Organisations should keep them far away from the encrypted data, to rotate them on a regular basis, and to use strong policies to enforce key access. After all, you wouldn’t leave your housekeys on display when leaving your house before going away on a holiday.

 

Q: Some of the data I hold is considered sensitive. Is encryption enough for these use cases and should I worry about data sovereignty?

A: This topic is something all organisations should consider, regardless of whether the data is considered sensitive or not. It’s important for organisations to consider both data encryption and data sovereignty.

Crucially organisations should consider data as multiple data sets, encrypting each data set as required with its own key, and maintain those keys external to the service that is storing the data.

When encrypting data as a security control, there are three things to consider:

  1. The encryption technology being used – it should be of a good standard.
  2. The management of the encryption keys.
  3. Who has access to the encryption keys and safeguarding against malicious access to the keys.

But we also have to understand the data itself, where the data resides, and under which jurisdiction the data should be governed by.

Data residency relates to the geographical location where the data is stored. So, for UKCloud, we can unreservedly guarantee that all customer data resides in the UK.

Data sovereignty relates to the laws of the country where the data resides. So again, for UKCloud, data held in our data centres conform to the UK’s laws, i.e. the data is bound to the laws of the sovereign state, in this case the UK.

With some SaaS providers and cloud hyper-scalers, data will often cross international boundaries as it travels through their data centres, this means the data is subject to the laws of each country it passes through. It is really important to note that when a cloud hyper-scaler state they have a presence in the UK, they also have a number of ‘global services’ that are not in the UK. And, when those global services are used, the data produced may not be in the UK.

If you want to learn more about UKCloud’s cloud storage options, click here. Alternatively, if you need help with developing your cloud solution or strategy, contact our professional services team. If you have any questions or queries, speak to a cloud expert today.