The battle between Apple and the FBI over cracking the code to gain access to an iPhone has brought the issue of encryption to the front page.
However, concerns surrounding encryption and control of the data go well beyond this one high-profile clash. Server side encryption, offered by cloud providers, along with control of the keys, has been traditionally thought of as the default and “best” level of security offered. But now that idea is being questioned, and client-side encryption and key control with intelligent key management is considered the better option. It leads to the question: who should be responsible for the encryption of data?
Server side encryption is when the cloud provider encrypts the data and they can optionally maintain the encryption keys as well, Elliott Abraham, Senior Security Consultant with Adapture, explains, while client side encryption is when the cloud customer encrypts the data before sending the data to the cloud and the customer maintains the encryption keys.
“In both scenarios the data at rest is encrypted which all compliance and regulatory guidance mandates,” he says. “The issue is, whoever owns the keys ultimately controls the data.”
Server side encryption is better than nothing because it allows for strict control over the environment in which the encryption takes place, according to Chris Teitzel, Founder and CEO, Cellar Door Media and creator of Lockr. “Being cloud-based allows for this encryption to be done the same way with the same keys across a multitude of applications and as such is seen as the default and best practice,” Teitzel says. “It allows for scalable environments to handle the encryption, interoperability among applications to handle the encrypted data and all while being able to certifiably meet encryption best practices.”
However, Teitzel thinks that the better option is client side encryption. “The data is encrypted at its source prior to transit and cannot be breached anywhere along the way until it is decrypted at its intended endpoint.” The downside is key management, which is why companies continue to turn to server side encryption.
What is the best option? It is the one that happens at the source of the data with a certifiably secure method to encrypt, store, and retrieve the key and best serves a company's specific needs.
“The safest key is one that you do not store anywhere near the data it is protecting, or the environment that is doing the encryption,” says Teitzel. “Having the ability to store a key remotely but only usable in the local environment is the best of both cloud and local worlds.”Image source: Yu. Samoilov via Compfight cc