Cloud computing has transformed how organizations operate. It’s given businesses, large and small, the chance to access IT resources without the hefty costs and upkeep that come with owning their own infrastructure. For small and fast-growing companies, this shift means they can quickly scale their tech resources—something that used to take months and a lot of money just a couple of decades ago.
But just because you can set up cloud services easily doesn’t mean you should forget about them. One of the main advantages of cloud services is the ability to adjust resources as needed. For example, if a new project requires extra data processing or if seasonal needs arise, you can quickly add resources without paying for them all year round. However, this flexibility is only an advantage if companies actively manage where their data is stored and ensure they aren’t just “set and forget.”
Securing that data is equally important. Most public cloud contracts lay out a shared responsibility between the provider and the customer for keeping data safe. However, how this security varies from service to service means organizations need to carefully consider what data goes where and how secure it should be.
In practice, though, this can be tricky. Many organizations don’t have the tech expertise they need to manage their cloud services effectively. Some might mistakenly think they are safe simply because they share a public cloud with millions of others or because they’ve never faced an attack. But that’s a risky way to approach security. Even if they don’t understand their contracts fully, organizations are still responsible for protecting their data no matter where it’s stored. If there’s a breach, public cloud providers might quarantine certain encryption keys, but if a client’s credentials get compromised, there’s not much they can do legally.
Recent incidents show just how critical it is to manage encryption keys properly. A cyber crime group known as “Codefinger” recently targeted AWS customers, stealing credentials to lock down their data. Many companies miss out on regularly monitoring and auditing their encryption keys, allowing unnecessary permissions to linger.
Duplication issues also come into play. According to the 2024 Thales Data Threat Report, 53% of companies have at least five key management systems, complicating visibility and control. Treating key management with the same seriousness as other cybersecurity measures is essential.
Best practices for generating and using encryption keys have been established for some time. The strength of the keys should match the sensitivity of the data they protect. For instance, using RSA key pairs lets third parties authenticate without exposing the data.
It’s also wise to maintain a separation of duties in key management. Those who create and manage keys shouldn’t have access to the encrypted data. This division helps prevent attacks that could give adversaries full access.
A centralized system can vastly simplify the management of all these keys. For organizations that might handle millions of keys across different environments, keeping everything organized is key. With growing regulatory demands around key management, these practices are becoming essential, not optional.
Having IT resources on-demand via the cloud has been incredibly beneficial for businesses today. However, as they leverage these impressive advantages, it’s crucial that companies remember they remain legally accountable for their data’s security.