CISSP As An Art - House As Data

If the house is data, who holds the key?

ByDave Krunal
If your house is data, who holds the key?

Three questions every CISSP must ask.

Your house has valuable data.

You can paint, renovate and lock.
The challenge comes when you outsource the job.

Let’s simplify four types of encryption with house maintenance.

 


CISSP As An Art - House As Data

Client-side encryption

You are in complete control of your house.
You can paint and renovate.
You buy your lock and keep the key with you.
You send your house to a big warehouse when it’s ready.

Think of the house as your data and the warehouse as the cloud.
You encrypt the data, and keep the encryption key with you.
You only store encrypted data in the cloud.
Remember, the cloud cannot do anything with your house (data) because you have the key.
This is the most secure option.

Server-side encryption

The tradie lifts and shifts the house to the warehouse.
The warehouse team paints the house and renovates.
They put their lock and keep the key.
You don’t have any control because you trust them.

The customer sends uncrypted data to the cloud for encryption.
It’s less of a burden for you, but more dangerous because your house is at risk if anybody breaks into the warehouse.

Customer-managed keys

You choose the lock and store the key in the warehouse’s vault.
You decide the lock combination.
When a tradie wants to do maintenance on your house, you unlock the vault for 30 minutes and record everything from CCTV.

The customer creates the key on the cloud provider’s key management system (KMS) and uses their vault.
Cloud encrypts the customer data as per access policies, logging, and key rotation set by the customer.

Customer-provided encryption


When a tradie comes for a job, you bring the key each time.
You unlock the door and watch the tradie paint and renovate.
Then you lock it.
Every time there is a job, you lock and unlock the house.

The customer generates the key and keeps it.
The customer is responsible for providing the key each time to the cloud provider during encryption and decryption operations, such as upload or download.

CISSP insight

Keep asking three questions:
– Who creates the key?
– Who stores it?
– Who can decrypt the data?

In my CISSP world, every concept is a story, an art piece, or a visual representation.

Join the CISSP As An Art (CaaART) tribe, the first visual-only CISSP course.

 

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *