You should adopt a policy of bringing your own key, which means the cloud provider will never hold the key that encrypted the data, and therefore they can’t be responsible for decrypting it. Encrypting data before it goes up to the cloud enables you to encrypt it in transit across the network and when it arrives and is stored on the cloud service provider’s systems. Only your users will be able to access their data because they have access to the key. An opportunistic thief who steals a user’s credentials and accesses the cloud service will only ever see encrypted data. This may sound complex and time-consuming, but the entire process happens automatically and instantly with no need for human intervention on the part of your users or the cloud service provider.
Encrypting files before sending them to the cloud service provider will provide better security, but it can actually disable some value added features from the provider. For example, being able to view previews of files without having to download and open them in a program like Microsoft Word or Excel. If those files are encrypted, you stop a thief from knowing its contents, but you also stop those value added services from inspecting the content of the file.
Educate your users
You should still regularly educate your users on how to determine when it’s appropriate or not to upload a file to the cloud. After all, you don't want someone looking for photo headshots of executives for a marketing presentation to stumble across and accidentally (or intentionally) open those executives’ employment contracts.
There's no such thing as one general encryption level for all data. User education should also include training on how to set permissions to ensure sensitive information is only accessible to appropriate personnel both inside and outside the company.
A cloud-based management console that enables IT to view real-time information on all devices connected to the network, including the ability to track data that goes to cloud services, will provide a comprehensive picture of how information is moving across the network.
But, let me be clear, establishing this level of visibility does not require your encryption technologies to include a back door.
Why backdoors don’t work
Cryptography is based on trust, and violating that trust undermines the effectiveness of encryption technology. Users will not want to store information in either on-premises or cloud applications that they discover include a backdoor. Instead, they will turn to other applications, often without IT's knowledge or permission. Backdoors in encryption undermine freedom of speech and the freedom to conduct our affairs without interference or fear.
Realize that backdoors are open to anyone, not just authorized IT personnel. Malicious insiders, foreign spies and criminal hackers could wreak havoc if they discover a backdoor. Therefore, backdoors subvert its effectiveness by introducing an enormous risk of security vulnerabilities. Backdoors in reputable commercial software would not prevent bad actors from finding alternative forms of encryption to hide their activities and communications.
Sign up for CIO Asia eNewsletters.