Last Updated on January 18, 2024
Forward-looking SaaS vendors are offering customers more flexibility in the balance of security tasks that each party takes on. For firms with robust security postures, a vendor can relinquish some security controls to reduce the risk that they potentially present to the client.
A top case in point is customer managed encryption keys (CMEK). Managing your own keys can be a good move—if you can keep them secure. “With great power comes great responsibility,” as the saying goes.
Is CMEK right for your business? Mark Richman, Principal Product Manager at iManage, takes a passionate deep-dive into this question along with host John Verry on a recent episode of The Virtual CISO Podcast.
What is CMEK?
Recognizing that “sometimes people’s eyes glaze when you say the word, ‘encryption,’” John offers an accessible explanation of CMEK: “Think of it as the key to the lock. The encrypted data in iManage would be unreadable without a copy of that key. Even if someone gained access to the data, they can’t see it. But if they gained access to the key, and the key is owned by iManage, they would be, in theory, able to unlock that data.”
John continues: “What you’re doing with customer-managed encryption keys is keeping the key that unlocks the data in your possession—not in the vendor’s possession. So, it provides just an insane level of value.”
Vendor as threat vector
The value in CMEK is that it can further reduce the client’s attack surface from insider threats or administrative mistakes on the vendor side.
“CMEK allows the customer to take ownership of the primary encryption keys, such that the cloud vendor does not have direct access to the primary keys that are encrypting the content itself,” Mark clarifies. “So, our application can use the keys to encrypt and decrypt content, but our application never has access to the encryption key itself.”
“That puts a lot of power and flexibility into the customer’s hands,” Mark adds. “For example, if the customer wants to terminate the relationship with iManage for any reason, those keys can be revoked at any time, and then all that content is immediately turned into a series of bits and is no longer recoverable.”
Managing added risk
Transfering security controls like CMEK from vendor to customer requires solid security practices or the customer’s risk will increase, not decrease. Like with CMEK, if a key custodian leaves your organization, you need processes in place for a smooth and secure “changing of the guard.”
Likewise, if a customer’s primary encryption keys were lost or corrupted, in a CMEK scenario there would be very little the SaaS vendor could do to help recover the content. A best-practice key management approach is therefore essential, including “separation of concerns” where copies of a key are kept in two places.
“This is an area where a customer can potentially hurt themselves,” notes Mark. “Because, for ease of administration, a customer just might want to have a single administrator be able to have access to both instances of the keys. But that’s the kind of thing that we really strongly caution against. We want to ensure that if you’re going to do something that has catastrophic potential consequences, at least two people have to be involved in that decision.”
What’s Next?
To listen to the complete show with Mark Richman from iManage, click here: LINK
Curious where SaaS firms most often fall short on cybersecurity? Here’s expert insight on that topic: https://pivotpointsecurity.com/blog/where-saas-firms-stumble-on-cybersecurity/