Any defence mechanism is only as strong as its weakest link. That’s why cryptographic key management is becoming a significant issue for enterprises. Key management is akin to holding the combination to a safe. But it affords no protection if the key (combination) becomes compromised, for example if a malicious actor gains access to it or is able to break the code.

As organisations store increasing volumes of data – at least some of which is likely to be sensitive information such as personal details of employees or customer – there is an ever-growing need for tighter key management throughout the entire lifecycle of the keys.

Encryption strength is key

The US National Institute of Standards and Technology (NIST) sets out guidelines for key management, stating in its Special Publication 800-57: “Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of the mechanisms and protocols associated with the keys, and the protection afforded the keys… All keys need to be protected against unauthorized substitution and modification. Secret and private keys need to be protected against unauthorized disclosure^[1].”

Furthermore, according to a 2019 study by Thales and the Ponemon Institute, which asked

3,300 IT and security leaders from eight countries about the state of cloud security and key management, 48 per cent of all corporate data is held in the cloud. Of those, only 49 per cent are using encryption for sensitive data stored in the cloud, while just 30 per cent had a unified approach for securing access to both cloud and on-premise applications^[2].

Storing data in the cloud, however, demands multiple questions:

• Where is the data stored?
• Who can access the data?
• What is the best way to secure the data?

Who controls the keys?

Encryption is the best way to secure data, but that then begs the question: “Who holds the encryption keys?” By default, many cloud providers generate encryption keys for their customers and manage the keys throughout their lifecycle. However, for some organisations, such as those in the financial sector may need to maintain their own encryption keys in order to comply with their own internal security processes.

This has led to the introduction of several alternative approaches. For example, Bring Your Own Key (BYOK) allows organisations to create their own encryption keys that are then handed to the cloud service provider – keys remain encrypted to the provider and so cannot be seen. However, this still requires handing over control of the encrypted data, which may be sensitive, to the service provider, and still might not meet internal security procedures.

Touch supports HYOK and other encryption models

Better still is the Hold Your Own Key (HYOK) method, which allows organisations to keep full control over the generation and management of their own encryption keys. All data is fully encrypted before being sent to the storage facilities and is only decrypted only once it is back on-premise. It means that encryption keys, and therefore sensitive data, are always encrypted, making HYOK perfect for organisations that need to adhere to strict security policies.

That’s why Touch now has included HYOK encryption as an optional addition to our already secure key vault model. Contact us today to discuss your own specific secure call recording requirements.

^[1] https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt1r4.pdf

^[2] https://cpl.thalesgroup.com/resources/cloud-security/2019/thales-global-cloud-security-study-white-paper