The legal expert group of the authority cooperation eSAM has stated that it is not possible to use US cloud services for sensitive data without risking their disclosure, unless the encryption is strong enough.
This summarizes their conclusion that confidential data should not be processed when using cloud services. There are many layers of concern for sensitive data in public cloud services, and all data should not be processed regardless of the level of protection and regulatory requirements.
The problem has not been to encrypt sensitive information, but rather that the key to the information, is stored within the same cloud service. This allows the cloud provider, AWS in this case, to theoretically gain access to both the key and the data, which could lead to unauthorized access.
There are now technical solutions for AWS customers to protect sensitive data through strong encryption, where the customer owns and controls the key to the data. The key can be stored locally in Sweden and the customer has full control over who can use it, how long it can be used and whether it should be locked or unlocked, which can easily be configured with a few button presses.
However, this type of technical solution shifts the responsibility model, where the customer is now responsible for creating and protecting their private key in a safe and reliable way.
Some basic principles still apply here for how to create and manage keys to your data.
Those are,
- Using reliable randomization algorithms to generate unique keys
- Keep the keys safe and protect them from unauthorized access
- Use an appropriate encryption algorithm to protect data and regularly rotate the crypto keys to reduce the risk of compromise.
It is also important to use appropriate methods to distribute the rights to the crypto keys to authorized users and to have a disaster recovery plan, to be able to recover lost or damaged crypto keys.
It requires significant effort to maintain such a technical environment, train and retain competent personnel, and perform system maintenance and upgrades. This is costly and complex for many organizations.
Complior offers a turnkey service that ensures the installation, operation and updating of the system, with strong protection that meets regulatory standards. The service is delivered from a data center in Stockholm and is maintained daily by personnel who have undergone security checks with the Swedish security police and who are certified in the products that the service contains. This enables cost efficiency and reduces the administrative burden for organizations, while maintaining high security standards.
We make it easier for organizations to quickly get started with protecting and, above all, having full control over their data in AWS, where we help through the entire process from start to protection.
Advantages::
- Move critical workloads to cloud services
- Maintain supreme control over sensitive data
- Gain strong key control and security
AWS External Key Store (XKS) ) allows you to protect your AWS resources with cryptographic keys stored outside of AWS. This solution is designed to protect your workflows and data with encryption keys stored outside of AWS under your control.
AWS External Key Store (XKS) is a custom service that supports connecting to an external key manager that you own and manage outside of AWS. Your key manager can be a physical (HSM) or a key service (KMS).
Read more about KMS as a service here: KMS Service – Complior – Protect Your Data
When using a KMS key that is under your control, encryption and decryption operations are performed by your KMS using your own cryptographic key material. This is called “hold your own keys” (HYOK).
HYOK, read more here: BYOK – “Bring Your Own Key”.
AWS does not communicate directly with your external key manager KMS, and has no ability to create, view, manage or delete your keys. Instead, AWS uses an external proxy (XKS proxy) that you provide to communicate with your external key manager. This gives you full control over your keys and your private data. You can close the key at any time and thus block all access to the data.
Read more about KMS for AWS XKS
