When you store your valuable items in a safe deposit box, do you leave your key to that box with the bank? Of course not. Although you might trust your banker, you keep control of that key. Otherwise, if it fell into the wrong hands, you might lose your valuables.
The same principle applies to your encrypted data, files, and applications. Storing your encrypted data and encryption keys in the same location is not a good idea. What if a cybercriminal or a dishonest employee breached the server where your data and key were stored?
In spite of this very real possibility, cloud service providers (CSPs) routinely keep the encryption key on their servers after encrypting your stored information — the code that lets you reveal the masked data.
Perhaps the CSP needs the key to manage your files. Or maybe the encryption method it uses requires encryption keys to be stored on the same operating system as their associated data. Whatever the rationale, CSPs usually want control over the encryption keys to the data on their servers.
What could go wrong? Plenty. In 2019, a former Amazon Web Services (AWS) employee downloaded some 100 million Capital One credit card customer records stored on AWS. She accessed the records using encryption keys she found on the AWS server.
If the keys had been kept elsewhere, chances are that the former employee wouldn’t have gotten hold of them. And if AWS Capital One had encrypted the data at the application layer and kept those encryption keys in a separate location, the hacker might still have been able to see the files, but she couldn’t have read them.
The recent SolarWinds attack on corporate and U.S. government systems also resulted in the theft of encryption keys from at least one federal agency. Again, those keys were stored on the same servers as the information they protected.
Divide and conquer: Split knowledge
Knowledge is power, goes the saying — and giving anyone too much of either can be bad for business. When storing sensitive data in any environment — public cloud, private cloud, on-premises data center — encrypting the data files is essential while it’s in transport and in storage.
The CSP will often require you to provide it with a copy of the data-at-rest encryption key, and you have no control over where it stores that key. That’s why it’s important to encrypt the data and, if you wish, metadata, at the application layer, and safeguard the key needed to decrypt it. “Split knowledge” — dividing encrypted data from the decryption key — is crucial for security as well as compliance with data privacy laws.
When choosing an encryption service, look for one that provides you with one domain for data storage and another for the encryption keys. That way, even an unauthorized operator or administrator who has access to the keys will not have access to the data, and vice versa. Split knowledge protects your information not only from bad actors on the outside, but from those within your organization, as well.