Skip to content
All posts

The Importance of Encryption Key Management

Solutions that enable BYOK (Bring Your Own Key) and client-side encryption capabilities enable a secured collaborative workspace

As Cyberscop recently reported that Senators Ron Wyden and Rob Portman have called on the National Science Foundation (NSF) to encrypt sensitive data shared through the National Secure Data Service (NSDS), an interagency collaboration platform established by the U.S. government, to protect it from foreign adversaries and hackers. In a letter to NSF Director Sethuraman Panchanathan, the senators argued that encryption is the best technology to ensure that data remains private and urged NSF to require agencies submitting data to the database to encrypt it with a key that only they control.

When sharing sensitive information, it is generally recommended to use secure methods such as encryption of sensitive data to protect it from unauthorized access. Encryption converts the data into a secure, encrypted form that only someone with the correct decryption key can access. This ensures that even if the data is intercepted, it is difficult for someone without the key to read or understand it. Encryption can be used to protect data during storage or transmission mission and is an effective way to ensure that sensitive information remains confidential. Whoever holds the encryption key can decrypt and access the data in a decipherable way. This is why the key is essential to protect from malicious actors. In the NSF case, if the data is encrypted at the database level and a malicious actor manages to access the master key, they will gain access to the entirety of the data.

This is why Senators Ron Wyden and Rob Portman urge the NSF to require that the agencies encrypt the data with a key that they own before submitting it to the database. In the advent of a breach in the NSDS system, each agency’s data will remain encrypted and protected from malicious actors. Taking the responsibility of key residency from the NSF and transferring it to the participating agencies will “remove a massive cyber-target from its back” as stated in the letter. In the past, there have been several cases where sensitive information has been compromised due to inadequate data protection measures. One notable example is the 2014 security breach at the Office of Personnel Management (OPM), which allowed suspected Chinese hackers to steal the sensitive personal information of 22 million current and former federal employees.

This security breach was a wake-up call for the need for better data security in federal agencies, but unfortunately, agencies continue to struggle to protect Americans' sensitive data. Last week, for example, it was revealed that IRS inadvertently released confidential data on 112,000 taxpayers. Cybercriminals have continued to perfect their attack techniques and find new ways to penetrate systems and steal data. Their nefarious innovations make it increasingly difficult for organizations to protect themselves successfully. As malicious actors continue to perfect their attacks, cyber protection must be regularly updated and tested to ensure it works optimally against real-world threats. The consequences resulting from weak cybersecurity and data leaks can be severe and far-reaching. Data breaches can result in the theft of sensitive financial data such as credit card numbers or bank account information. This can result in financial losses for both individuals and businesses.

If the leak is due to inadequate cyber protection, it can lead to legal consequences that can devastate the company's reputation. Part of a good cybersecurity plan should include encryption and key management. It is essential for organizations to carefully consider their security needs and choose between cloud-based key management or owning their own keys. The latter is preferable when dealing with sensitive data, but the key must be protected internally, which is more costly.

In recent years, quantum keys have become increasingly important. They are the only mathematically proven random source and cannot be manipulated without detection. Companies need to know their options and cybersecurity capabilities to decide to protect their data best. Confidential computing is about protecting data while it is being used, such as during its processing or analysis. This is achieved by enclosing the data in a secure container, often referred to as a "trusted execution environment" (TEE), that prevents unauthorized access to the data even if the operating system or other software is running on the same device.

Confidential computing can be used in conjunction with encryption key management and even quantum-driven keys to provide an additional layer of security for sensitive data, especially data shared by multiple parties or organizations. Platforms that offer dedicated and localized hardware confidential computing platforms can firmly secure sensitive collaborative data by managing the encryption keys.