Cloud Security is a Shared Responsibility

The Cloud Security Alliance emphasizes the importance of shared responsibility in its latest Security Guidance v4.0. Shared responsibility means that Cloud Solution Providers (CSPs) own the responsibility to secure the infrastructure that runs their cloud services. Data owners are responsible for protecting the confidentiality, integrity, and availability of their data in the cloud.

Securing data in the cloud properly requires that data owners own—and can prove that they own—their data, from inception to deletion. That means that data owners—not their cloud provider—must protect their sensitive data by deploying a cloud security ecosystem where data and cryptographic keys are secured and managed, and access is controlled.

Risk Factors

  • Human Error. CSPs offer varying security controls and multi-cloud means learning new policies and cloud- and identity-security solutions.
  • Vulnerabilities. Bugs happen whether on-premises or in the cloud.
  • Insider Threat. From CSP infrastructure administrators to internal administrators with elevated privileges in the cloud, insiders pose a threat. Admin credentials are often targeted and compromised. Remember, event with certain types of encryption, privileged users can see data in the clear for all users.
  • Protecting the Keys to the Kingdom. The cryptographic keys used to encrypt and decrypt data require enhanced control and separation between encrypted data in the cloud and the keys. If these keys are compromised, encrypted data can be exposed.

Cloud Security Best Practices

  • Data owners need to directly manage, if not own, their encryption to ensure that their data is protected as it is stored in and moves to and from the cloud.
  • Data owners need to own the generation and administration of the cryptographic keys used to encrypt data in the cloud.
  • Data owners need to ensure that only validates and authorized users can access sensitive data in the cloud.
  • Data owners need cloud independent security solutions that can be applied across private, hybrid, public, and multi-cloud environments

Thales TCT Solutions to Protect YOUR Data in THEIR Cloud

Thales TCT offers cloud independent encryption, key management, and authentication solutions that enable organizations to safely store sensitive data in the cloud. Our solutions allow customers to effectively manage their security when working in different environments, across different platforms and with multiple cloud providers.

Secure Cloud Access

When data and applications move to the cloud, user access—by default —takes place remotely. Organizations therefore have to implement user access controls for enterprise resources residing both in the cloud and within the confines of the data center.

Thales TCT offers Authentication and Access Management Solutions that allow organizations to seamlessly extend secure access to the cloud through identity federation. Thales TCT’s platforms leverage organizations’ existing authentication infrastructures, allowing them to extend users’ on-premises identities to the cloud and enabling them to implement consistent access control policies for both cloud and network applications.

Discover, Protect and Control Cloud Data

Secure data in the cloud with Thales TCT’s CipherTrust Data Security Platform. The platform offers advanced multi-cloud Bring Your Own Encryption (BYOE) solutions to avoid cloud vendor encryption lock-in and ensure the data mobility to efficiently secure data across multiple cloud vendors with centralized, independent encryption key management.

Organizations that cannot bring their own encryption can still follow industry best practices by managing keys externally using the CipherTrust Cloud Key Manager. The CipherTrust Cloud Key Manager supports Bring Your Own Key (BYOK) use-cases across multiple cloud infrastructures and SaaS applications.

Additionally, organizations can utilize CipherTrust Data Discover and Classification to locate sensitive data in the cloud. A single pane of glass delivers understanding of sensitive data and its risks, enabling better decisions about closing security gaps, prioritizing remediation, or securing cloud transformation and third-party data sharing.

With the CipherTrust Data Security Platform, the strongest safeguards protect sensitive data and applications in the cloud, helping the organization meet compliance requirements and gain greater control over data, wherever it is created, used, or stored.

Go cloud-native with security

You can rearchitect your applications for the cloud while providing both data encryption and secure key management using CipherTrust Application Data Protection, a component of the Data Security Platform. With C, C#, Java and REST bindings to Crypto Service Providers (CSPs) located where you deem appropriate, PaaS data can remain secure.

Ensure you can trust your apps and data by securing the keys

Thales TCT’s Hardware Security Modules (HSMs) provide uncompromised trust across cloud, on-premises and hybrid environments. Thales TCT HSMs are the choice for government agencies when storing, protecting and managing cryptographic keys used to secure sensitive data and critical applications. Meeting government mandates for U.S. Supply Chain, the high-assurance, tamper-resistant Luna T-Series HSMs are designed, developed, manufactured, sold, and supported in the United States.

Meet your compliance needs securely and efficiently with Thales TCT HSMs that provide a high assurance, FIPS certified root of trust for any use case, any application,  delivered as a FedRamp High Authorized service in the cloud or on-premises, and across hybrid environments.

Secure data as it transits the cloud

Today’s network encryption devices must handle intensive encryption algorithms, operate across a diverse range of cloud architectures and connectivity and be future proof against emerging threats. With Thales High Speed Encryption (HSE) network encryptors, companies can secure data in motion across network traffic between data centers, headquarters to backup and disaster recovery sites, in the cloud or on-premises.

Secure file sharing without compromise

Thales TCT offers SureDrop®, a secure file sharing and collaboration platform, that enables users to store, share and sync all their files in the cloud or on premises with an enterprise-class solution and end-to-end encryption security. SureDrop, offers users the mobile collaboration, interaction and productivity they need behind what is commonly referred to as ‘unbreakable’ encryption security.

Thales TCT additionally offers Votiro’s Secure File Gateway for Web that enables users to transfer files safely without disrupting the workflow.  Using Positive Selection™ techniques, all known and unknown threats from external networks are eliminated before they can enter internal networks. Positive Selection ensures only known elements from files across multiple devices and data sources are transferred to your internal network.

Store and Manage RPA Credentials in the Cloud

The Luna as a Service Credential System provides agencies a cloud service model of Thales TCT’s Luna Credential System (LCS). LCS offers a new approach to multi-factor authentication by maintaining user credentials in a centralized hardware device that is securely accessible through the cloud service by endpoints in a distributed network. It unites the familiarity of certificate-based authentication with the security of a FIPS 140 Level 3 certified HSM, supporting a number of use cases including Windows Logon and authentication to PK-enabled applications and websites. LCS is a multi-purpose, secure credential system ideally suited for an environment in which the endpoints or users, like RPA bots or other non-person entities, cannot use a traditional authentication token.


Advanced data protection for AWS S3 with CipherTrust Transparent Encryption Solution Brief
Avoiding Amazon S3 Data Leaks with Scalable Encryption and Access Controls Solution Brief
CipherTrust Cloud Key Manager Product Brief
CTO Sessions On Demand: Protecting Your Data in Their Cloud
CTO Sessions Webcast On Demand: Taking Control of 2023’s Top Tech Trends
CTO Sessions Webcast: A Guide to BYOK and HYOK for AWS, Azure, Google, Oracle and More
Microsoft Azure Advanced Data Protection Solution Brief
On Demand Webinar: Best Practices for Cloud Data Protection
Product Demo: Protecting AWS S3 Buckets: AWS KMS vs Transparent Encryption COS S3 from Thales
Solution Brief: Best Security Practices for milCloud Data Migration
White Paper: Best Practices for Cloud Data Protection and Key Management
White Paper: Best Practices for Implementing the White House Executive Order on Improving the Nation’s Cybersecurity Infrastructure
White Paper: Best Practices for Secure Cloud Migration
White Paper: The Case for Centralized Multicloud Encryption Key Management
White Paper: Top Five Ways to Address Requirements in National Security Memo on Improving Cybersecurity of National Security Systems