nCrypted Cloud
Is older than any of the wrappers mentioned in this article. Odd it wasn't included.
Like it or not, collaboration and file-sharing services like Dropbox have become embedded in corporate IT. What started as personal technology has increasingly become the alternative to everything from moving files using USB to sharing docs via email or an internal wiki. But we live in an age of hackers and hacking, spies and …
Lots of other countries in the world. Many that give negative fucks about fines. For that matter, plenty of executives don't give fucks about fines. You're IT. Make it work. You don't get to dictate to executives, etc.
Sysadmins aren't the iron rulers of their little fiefdoms anymore. They're digital janitors. Best invest in industrial cleaning products.
This is charmingly combative of both parties but perhaps a little OT?
You're right about (strong) encryption needing to be transparent (and it should be a lot easier than it is).
It's long past time internet protocols took the good will of any node they link to for granted and the net stopped being a happy hunting ground for TLA's and Black hats.
Key management - that's the hard part. Part of the extra security of encrypting cloud data is not putting the keys on the cloud.
The Cloud is another word for someone else's computer. Unless you encrypt data before uploading it to cloud storage, you run an unacceptable risk of having it stolen.
Local encryption, done before uploading to the cloud is available through a wide variety of apps, as mentioned in the article. VeraCrypt http://veracrypt.org works with Microsoft's OneDrive, while SyncDocs https://syncdocs.com encrypts Google Drive.
Keeping keys local enhances security, but makes it more difficult to use. Solving the KMS problem will lead to a pot of gold.
Re: If so where do we store the keys to the keys?
In the grey matter of the wetwear!
Ultimately, after you've stored the operational keys on the FIPS-140-2 flash drive and written the key to that on a piece of paper and placed that in an envelope in the safe etc. etc. someone is going to have to remember that the key to the keys is in the top draw of the CTO's desk...
Microsoft has an enterprise licensing management system they call KMS - Microsoft's KMS is a license management service for Microsoft products, it's not a key management product.
The product you want is called Active Directory Certificate Services. Active Directory Certificate Services (AD CS) is an Identity and Access Control security technology that provides customisable services for creating and managing public key certificates used in software security systems that employ public key technologies. Phew...
Are we not distributing public keys (for everything, crypto and authentication) over DNSSEC?
It's not as if this is a new problem - is it?
Key rotation and replacement becomes a simple job for the person receiving the data - distribution is handled automatically.
Have a reverse lookup of the key with a flag to indicate key revocation before the expiry date.