listen to this article:

Illustration of clouds and numbers

Are you one of the many enterprises that is facing difficulty with keeping your data on the cloud – or on multiple clouds? You’re not alone.  With the new push to all things digital and need to support an enterprise that is mostly WFH, it’s no surprise that our world is increasingly cloud-centric and sometimes agnostic, everyone’s keeping data on the cloud – but keeping that data safe is not as easy as it appears. In this article, we’ll break down five challenges enterprises must consider when migrating sensitive data to a cloud service provider (CSP) and with cloud key management.

Visibility and Control

CSPs not only store and manage data for enterprises; they become responsible for enforcing policy, visibility, accessibility, and governance over that data. This means that CSPs – not the enterprises that selected them – are entrusted to ensure that enterprise employees know where the cryptographic keys securing their data are being stored, how they’re used, and when they’re being used. CSPs may not have the same standards for those policies as an enterprise may hold internally. In practice, enterprises lose time in assembling that data points and more importantly the audit trail. Why?  Because in most cases they don’t have the full logs to access in order to retrieve critical information. Add to this that each cloud is traditionally its own silo — with its own format, usernames, and other hard-to-correlate input data – and understanding where the data sits can easily become a cloud-shift nightmare.

Another consideration and sometimes overlooked issue that can arise with visibility and control in the cloud is data deletion.  Often, the client has lost sufficient visibility to confirm whether their data was actually deleted, in practice, by the CSP. CSPs spread their data across multiple devices, and deletion practices and protocols vary between providers.

Control of who accesses what keys – and where they’re stored – may prove elusive, even within the organization itself. CSPs provide a self-service type model for applications – some of which may not be standard or supported by an organization’s IT department. In other words, employees using a CSP for one application – which is approved by the IT department – also has access to other applications which may not have undergone an internal IT review, i.e., “Shadow IT.”  With one unauthorized access, an unwitting employee may be putting sensitive data at risk – and the IT department might not even know about it.


Vendor lock-in presents a significant challenge for enterprises using multiple clouds. Each CSP encrypts data using their own specific encryption keys – and it’s a problem for organizations looking to move from one CSP to another. Data can be transferred; encryption keys cannot. This leaves organizations with the difficult and time-consuming task of decrypting the data from the first CSP, moving it to the new CSP as plaintext, and then encrypting again with the second CSP’s encryption scheme, a procedure that is cumbersome on a large scale and prone to a potential data theft in the process. Moreover, the unique features offered by each CSP – which require customization – cannot be transfigured when being transferred to a new CSP.

In other words, if your organization suddenly needs features from, for example, Azure that are not available on AWS – you’re stuck.


Forget moving data from one CSP to another; using data on multiple clouds can be an operational nightmare. CSPs’ vendor lock-in prevents interoperability between clouds.

Another operational nightmare exists specifically for the organization’s IT team. Each CSP maintains its own set of technical requirements, regulations, admin permissions, and more; each CSP is its own IT ecosystem. If your enterprise keeps keys on 2, 3, 4, or more clouds – chances are the IT department is already feeling the strain.


Organizations outsourcing data storage to CSPs also have little control over whether their data will be accessed by law enforcement agencies.

The Clarifying Lawful Overseas Use of Data (CLOUD) act, enacted in March 2018, increased the risks for organizations storing data on the cloud. According to CLOUD act, any organization worldwide storing information on a cloud server by a US-based company can be subpoenaed and/or warranted by the US government for information on their sensitive data stored on that cloud.

When encryption sits with the CSP, this puts that information that much closer to the public. While subpoenas may be justified in some cases, CLOUD act creates a possibility for a company to be subpoenaed without their knowledge – in the event the party filing the complaint files directly with the CSP without warning the end customer.  29,443 requests for information were submitted to Microsoft, Amazon, and Google in the first half of 2020 alone.[1] [2] [3]

To learn more about the CLOUD Act, and how it can affect your enterprise, click here.


IT teams are at risk of inefficient due diligence when migrating data to the Cloud, including not understanding the security provided by the CSP vs. security expected to be provided by the enterprise, and not understanding the risks of cloud migration.

It’s important for enterprises to remember that most cloud computing infrastructures do not provide security against untrusted cloud operators, and to consider whether to store sensitive data (e.g., financial and healthcare records) on such a system without additional security measures in place.

Interested in learning more about challenges with cloud key management? Read our Conversational Geek eBook.

[1] “Law Enforcement Requests Report – Microsoft CSR.” Microsoft, Microsoft, 2021,

[2]“Amazon Information Request Report.” Amazon, Inc, 2021.

[3] “Requests for User Information.” Google Transparency Report, Google, 2021, Number cited here is only for user information requests regarding Enterprise Cloud customers.