Last year Thales published a study mentioning a 26% year-on-year increase in the transfer of data stored in the cloud. Above all, 75% of companies declared that more than 40% of data stored in the cloud was sensitive data. But only 45% of them were encrypted.
To respond to this most pressing issue, a very well-assembled practical sheet on “Encryption practices in public cloud computing” has just been published today by the CNIL.
The Commission assures that encryption remains today “one of the most effective mechanisms for protecting data confidentiality”. But the underlying basis of this efficiency lies in the good management and protection of cryptographic keys.
The cloud is a game changer for encryption
An exercise that is all the more complex given the increasingly significant use of cloud computing in businesses, i.e. a scenario where your data is entrusted to third-party providers in storage environments, of calculation and networks outside the direct control of customers, changes the situation.
Because this approach “reinforces the interest in using encryption” mentions the CNIL in a context of protection “not only against malicious third parties but also from the suppliers themselves”.
The document therefore details the different possible approaches in this area. But above all, it makes it possible to put the promises of suppliers into perspective and to measure the level of competence necessary internally in the IT department, or to be sought among ESNs to guarantee an adequate level of security.
3 key points to explore
From this point of view, she emphasizes three key points:
- Depending on the state of the data (at rest, in transit, in processing), different approaches are possible either on the server side or on the client side.
- Some encryption techniques can be complex to implement: it is therefore important to know the different approaches to apply the one that will be most suitable for data processing.
- Finally, end-to-end encryption is not applicable in all situations, but constitutes the most protective solution for privacy.
Final advice, faced with encryption techniques in the cloud “for the moment, limited to basic functions”, the CNIL recommends “ensuring that the (cloud) provider cannot have access to the data in plain text processed or to the cryptographic keys, nor (to know what) operations have been carried out on this data.