Cloud Security is a Shared Responsibility


The Cloud Security Alliance emphasizes the importance of shared responsibility in its latest Security Guidance v4.0. Shared responsibility means that Cloud Solution Providers (CSPs) own the responsibility to secure the infrastructure that runs their cloud services. Data owners are responsible for protecting the confidentiality, integrity, and availability of their data in the cloud.

Securing data in the cloud properly requires that data owners own—and can prove that they own—their data, from inception to deletion. That means that data owners—not their cloud provider—must protect their sensitive data by deploying a cloud security ecosystem where data and cryptographic keys are secured and managed, and access is controlled.


  • Human Error. CSPs offer varying security controls and multi-cloud means learning new policies and cloud- and identity-security solutions.
  • Vulnerabilities. Bugs happen whether on-premises or in the cloud.
  • Insider Threat. From CSP infrastructure administrators to internal administrators with elevated privileges in the cloud, insiders pose a threat. Admin credentials are often targeted and compromised. Remember, event with certain types of encryption, privileged users can see data in the clear for all users.
  • Protecting the Keys to the Kingdom. The cryptographic keys used to encrypt and decrypt data require enhanced control and separation between encrypted data in the cloud and the keys. If these keys are compromised, encrypted data can be exposed.


  • Data owners need to directly manage, if not own, their encryption to ensure that their data is protected as it is stored in and moves to and from the cloud.
  • Data owners need to own the generation and administration of the cryptographic keys used to encrypt data in the cloud.
  • Data owners need to ensure that only validates and authorized users can access sensitive data in the cloud.
  • Data owners need cloud independent security solutions that can be applied across private, hybrid, public, and multi-cloud environments

Thales TCT Solutions to Protect YOUR Data in THEIR Cloud

Thales TCT offers cloud independent encryption, key management, and authentication solutions that enable organizations to safely store sensitive data in the cloud. Our solutions allow customers to effectively manage their security when working in different environments, across different platforms and with multiple cloud providers.

When data and applications move to the cloud, user access—by default —takes place remotely. Organizations therefore have to implement user access controls for enterprise resources residing both in the cloud and within the confines of the data center.

Thales TCT offers Authentication and Access Management Solutions that allow organizations to seamlessly extend secure access to the cloud through identity federation. Thales TCT’s platforms leverage organizations’ existing authentication infrastructures, allowing them to extend users’ on-premises identities to the cloud and enabling them to implement consistent access control policies for both cloud and network applications.

Safely store sensitive data in the cloud with Thales TCT’s CipherTrust Data Security Platform. The platform offers advanced multi-cloud Bring Your Own Encryption (BYOE) solutions to avoid cloud vendor encryption lock-in and ensure the data mobility to efficiently secure data across multiple cloud vendors with centralized, independent encryption key management.

Organizations that cannot bring their own encryption can still follow industry best practices by managing keys externally using the CipherTrust Cloud Key Manager. The CipherTrust Cloud Key Manager supports Bring Your Own Key (BYOK) use-cases across multiple cloud infrastructures and SaaS applications.

Additionally, organizations can utilize CipherTrust Data Discover and Classification to locate sensitive data in the cloud. A single pane of glass delivers understanding of sensitive data and its risks, enabling better decisions about closing security gaps, prioritizing remediation, or securing cloud transformation and third-party data sharing.

With the CipherTrust Data Security Platform, the strongest safeguards protect sensitive data and applications in the cloud, helping the organization meet compliance requirements and gain greater control over data, wherever it is created, used, or stored.

Even if sensitive data is encrypted in the cloud, with either BYOE or cloud native encryption, organizations still need to own their encryption keys. Many CSPs offer key management service however, users can’t guarantee quality if the keys generated by the provider. Furthermore, users need the ability to easily decrypt and migrate data between cloud providers.

Thales TCT’s Hardware Security Modules (HSMs) provide uncompromised trust across cloud, on-premises and hybrid environments. Whether used independently or integrated with CipherTrust Data Security platform, HSMs safeguard digital identities, applications and sensitive key materials that are used to protect important collaboration tools, document sharing and online transactions. Thales TCT HSMs have a full U.S. supply chain and provide a high assurance, FIPS certified root of trust.

By generating keys on an HSM, users can verify the origin and quality of the keys you provided to the cloud service provider, strengthening the security of your organization’s key management practices. Users can gain greater control over the durability of imported key material as customers maintain the original version of the key material in their on-premises Luna HSM, outside of the cloud service provider’s environment.

Whether deploying Robotic Process Automation (RPA) in the cloud or on-premises, Thales TCT’s Luna Credential System (LCS) addresses compliance mandates for the management of digital identities such as software robots.  LCS introduces a new, patent pending, approach to multi-factor authentication by maintaining user credentials in a centralized hardware security module (HSM).

Composed of the Luna Credential HSM and the Luna Credential Client, LCS supports a number of RPA use cases including Windows Logon and authentication to PK-enabled applications and websites. When installed with cloud-based RPA deployments, the Luna Credential Client establishes secure communications to either an on-premises Luna Credential HSM or a cloud-based HSM (such as Azure Dedicated HSM) to utilize an entities certificate and corresponding private keys.

The file-sharing and collaboration marketplace is crowded with applications promising to deliver on the potential of a work anywhere, with anyone, culture. Many solutions offer a degree of security but, for many organizations, they don’t meet their standards for maximum data protection.

Thales TCT offers SureDrop®, a secure file sharing and collaboration platform, that enables users to store, share and sync all their files in the cloud or on premises with an enterprise-class solution and end-to-end encryption security. SureDrop, offers users the mobile collaboration, interaction and productivity they need behind what is commonly referred to as ‘unbreakable’ encryption security.

Thales TCT additionally offers Votiro’s Secure File Gateway for Web that enables users to transfer files safely without disrupting the workflow.  Using Positive Selection™ techniques, all known and unknown threats from external networks are eliminated before they can enter internal networks. Positive Selection ensures only known elements from files across multiple devices and data sources are transferred to your internal network.

Advanced data protection for AWS S3 with CipherTrust Transparent Encryption Solution Brief
Avoiding Amazon S3 Data Leaks with Scalable Encryption and Access Controls Solution Brief
Best Security Practices for milCloud Data Migration Solution Brief
CipherTrust Cloud Key Manager Product Brief
CTO Sessions On Demand: Protecting Your Data in Their Cloud (On Demand Webcast)
CTO Sessions: Taking Control of 2023’s Top Tech Trends
Microsoft Azure Advanced Data Protection Solution Brief
On Demand Webinar: Best Practices for Cloud Data Protection
Product Demo: Protecting AWS S3 Buckets: AWS KMS vs Transparent Encryption COS S3 from Thales
White Paper: Best Practices for Cloud Data Protection and Key Management
White Paper: Best Practices for Implementing the White House Executive Order on Improving the Nation’s Cybersecurity Infrastructure
White Paper: Best Practices for Secure Cloud Migration
White Paper: The Case for Centralized Multicloud Encryption Key Management
White Paper: Top Five Ways to Address Requirements in National Security Memo on Improving Cybersecurity of National Security Systems