The Federal Office for Information Security (BSI) has updated its IT-Grundschutz-Kompendium: Edition 2019 is now available with 14 completely new modules. Among other things, a section on "Cloud usage" has been added, in which the topic of encryption is explicitly mentioned. A step in the right direction. Even if some hints jumped a bit too short.
The IT-Grundschutz-Kompendium is tailored to the security requirements of companies and public authorities. The aim is for users to be able to select the modules that are relevant to them in order to improve information security. The new edition is relevant for certification and replaces Edition 2018. In addition to technical aspects, infrastructural, organisational and personnel aspects are also taken into account. For example, there are also sections on possible pitfalls and "Measures for increased protection requirements" (2.3), which go beyond the state of the art. This also includes the use of encryption (OPS.2.2.M17). The BSI distinguishes between the encryption of data "in motion" (i.e. during transport) and "at rest" (at the storage location). The document advises that all data transferred between an organization and a cloud provider should be secured using transport encryption. However, this is the minimum requirement that an encryption solution should meet. Sensitive data should not only be encrypted "in motion", but also "at use" and "at rest" at all times. The reason is simple: Only in this way can a company ensure that neither attackers nor unauthorized third parties - including administrators of cloud providers, for example - have access to the data.
In addition, the BSI points out that data can also be encrypted either in the company or alternatively in the cloud application. However, there is a crucial problem with the latter: the cloud provider has the cryptographic keys and controls the encryption process for the data. This gives them access to unencrypted data. "In addition, it should be agreed that the cloud user can initiate the re-allocation of keys if necessary and influence the life cycles of the keys. It should be noted that the cloud service provider is also responsible for key management during encryption. Employees of the cloud service provider who have knowledge of the corresponding keys can access the institution's data in this way". (OPS.2.2.M17 Use of encryption for cloud use [ISB, IT Operations](IA)). Therefore, companies should consider carefully if they want to leave the control over their cryptographic keys and data protection processes to a third party. Particularly with regard to the European Data Protection Regulation (GDPR), companies must bear in mind that they are solely responsible for the protection of their sensitive data. They cannot delegate this to third-party providers, including cloud providers.
In order to keep key management in their own hands, the BSI recommends that companies "use their own encryption mechanisms". HSM - hardware security modules - are cited as an example. These can handle both key management and encryption. The disadvantage: before the data can be encrypted by an HSM, it is transmitted to it unencrypted. Companies therefore also need a solution that encrypts the data before it leaves the secure corporate environment and is sent to a third-party provider. So why not kill two birds with one stone? An encryption solution such as the eperi Gateway bundles both the encryption process and the key management and could even be connected to an HSM if the customer wants to. The gateway also ensures that it can be easily integrated into the existing IT infrastructure. CRM databases can also be easily encrypted via API interfaces.
Companies should keep one thing in mind: No one can prevent data from being stolen. But the eperi Gateway helps ensure that attackers can't do anything with the data.