The idea is simple. First, you encrypt all your data and put the key somewhere safe. Then you send the data off to a data center somewhere. When you need the data, you bring it back and decrypt it with your key.
The people who run the data center have no way of getting to your data, and neither do hackers, foreign spies, or anyone with a court order.
“There are a number of advantages,” said Diogo Monica, IEEE member and security lead at Docker. “You are not sharing the keys with anyone, so you have exclusive control of the data that leaves the organization.”
There’s also a compliance benefit, he added.
“You can prove to the auditor that you own the keys, the keys are local, and all the data is transformed, and all the use of these third-party clouds [is] exclusively being done on the encrypted data,” he said.
Some data centers and cloud vendors offer this kind of lockbox technology to their customers, and with the looming GDPR deadline next year, more are likely to follow suit. Europe’s new General Data Protection Regulation, which kicks in next May, is sure to send ripples across the entire IT infrastructure ecosystem.
Numerous vendors offer both software and hardware appliances that do the encryption and key management for you.
But there are tradeoffs, and the biggest one is usability.
If you’re the only one with a key, that means that employees working remotely won’t be able to get to the data.
Do you give them copies of your keys? Do you keep the keys in a separate shared storage area for them to use? Do you funnel all traffic through an appliance that does the encryption and decryption for you?
The cloud vendors won’t be able to get to your data either, and that’s not always a good thing. Say you have a bunch of documents stored away, and you want to search them for a specific term. It’s hard to do a search if they’re all encrypted. You also can’t work with them using online tools.
As a solution, some vendors offer lockboxes lite — they keep the keys for you, but promise to keep them safe.
“It is simpler to deploy if you are using vendor keys and their key management systems,” said Caio Milani, director of product management at MarkLogic, a database vendor. “However, it is a question of trust in the vendor’s internal process.”
Jersey City-based software company AvePoint uses Microsoft’s Azure Key Vault so that customers have a degree of control over the keys, while still being able to use the Office 365 online platform.