It’s important that businesses in today’s global market are able to freely and effectively communicate and share information with customers, employees and third-parties, but regulations around data privacy are becoming ever more rigorous. With the EU General Data Protection Regulation (GDPR) due to be enforced next year, for instance, it’s time that businesses consider taking a more robust approach to ensuring the privacy of their data, or risk potentially ruinous fines.
Businesses generally tend to control their data simply by restricting its physical storage location; ensuring information is kept on premises, and putting policies in place to prevent its distribution.
More progressive businesses might also look beyond the physical location of encrypted data, using new technologies to take control of its ‘logical’ location – the location of the point of control of encryption.
Keeping data on-premise can grant its owners peace of mind, and may help them to achieve a level of regulatory compliance, but best practice would suggest sensitive data should be encrypted at rest and so ultimately, control over decryption keys, rather than where’s it held, dictates who is able to see and use the information.
In time though, as content owners and regulators accept that this is the case, the logical location of the data will grow in significance while the physical location(s) of an encrypted file will become increasingly irrelevant.
Businesses adopting this mindset will be able to maintain control of valuable content, even when it flows beyond their organisation’s boundaries. By shifting focus, they can then manage and control the encryption keys that protect this content wherever it goes, and implement processes for managing, distributing and revoking access to the keys.
Some businesses are adopting key management practices such as Customer Managed Keys (CMKs), as a way to retain control over their encryption keys to data held off premise in the cloud. Allowing businesses to keep exclusive control of the encryption, CMKs ensure that their data remains secure and under their control, regardless of its location. Should the data owner choose to disable access to the keys, for example, it would then become impossible for the information to be decrypted by a third-party service provider or anyone else.
In addition to the use of CMKs, businesses can also employ Information Rights Management (IRM) technologies as a means of taking control of the logical location of their information. IRM offers security which will travel with a document wherever it goes, attaching encryption control to a file so that it can be shared, tracked, monitored and revoked as needed.
A document with IRM protection can effectively “phone home” to a central service and ask whether or not the person currently attempting to view or edit the document has permission to do so. If they haven’t, then the keys won’t be shared, which renders the document useless. In taking control of the encryption, IRM allows permission to be granted or revoked at will, effectively “‘shredding” any remote documents that need to be pulled back. It’s possible to monitor and revoke access, and to enforce a time limit after which a document can no longer be viewed – regardless of whether it has already been shared or downloaded.
Where should responsibility lie?
Once a business has decided to strengthen the security of its information through the use of CMKs, controlling the point of encryption rather than focusing on the encrypted data’s storage location, it must then decide with whom the responsibility for this lies; whether it’s the firm’s CIO, its legal department; or one of the new breed of data privacy officers.
Thousands of new data privacy officer roles are likely to be created following the implementation of the GDPR in just over a year’s time, each of whom will be tasked with the protection of sensitive personal information as it moves within and outside of their organisation’s firewall. Given this particular remit, they may well be the appropriate owners of their business’s key management processes.
Retaining control over the point of encryption will enable data privacy officers to ensure that they remain compliant with even the most stringent data privacy regulations, as well as making sure that their business is in the best possible position for any future changes in regulation.
As the enterprise continues to expand its use of cloud services, so CMK offers IT departments the opportunity to remain in control, even if core services are being delivered by external providers. It makes a great deal of sense therefore that, whether maintaining control of a business’s IT systems or managing services provided by a third-party, the central IT department may well be the place most capable of key management.
Alternatively, the legal aspects of the increasingly strict data privacy landscape may persuade businesses to place the responsibility for key management in the hands of their own legal teams. Otherwise, it might be outsourced to a law firm which could play the role of data protection adviser, and provide a service of managing keys on behalf of a number of different clients, handling requests from any external enforcement agencies that require access to the content.
Prepare for the future
There’s no one-size-fits-all approach to who is responsible for managing encryption within a business; it can be influenced by a number of factors such as the organisation’s size, sector or scale.
There is a strong argument that whoever holds the ultimate responsibility for an organisation’s data should also take control of the keys which encrypt that data. In this case both CMK and IRM technologies will offer whoever is responsible the closest possible control.
Faced with the combination of a rapidly evolving threat landscape and increasingly onerous regulatory overheads, businesses should look to employ the most secure and efficient method of controlling their data, without limiting their productivity. CMK and IRM both offer just this level of control and efficiency while, at the same time, allowing businesses to prepare for whatever may be asked of them by future regulations.