Increasingly, individuals and organizations are using cloud-based systems for data storage, even for sensitive data. For the most part, cloud data storage systems are operated by large corporations with good reputations that rely on best practices to ensure the security of their clients' data. Unfortunately, as demonstrated by some widely-reported leaks of sensitive data stored in cloud services, even the best practices may not adequately protect sensitive data.
Data stored in cloud services is often vulnerable at a number of points. Access to the user's cloud service account may be accessible to anyone who can obtain or guess the username and password for the account. Data may be transmitted unencrypted or with only weak encryption in either direction between the user and cloud service. System administrators or data backup services employed by the cloud service may be able to access and transmit user data to unauthorized recipients. And, while the cloud service may store user data in encrypted form, the cryptographic key needed to decrypt the data may be still accessible to system administrators of the cloud service.
Since most security practices used by cloud services typically remain confidential, users may have only the reputation of the cloud service to assure them that proper security measures have been implemented. Some large organizations try to ensure that their sensitive data is being adequately protected by operating their own cloud storage service. Even so, these organizations still rely on the competence and integrity of the system administrators they employ to ensure that data security policies are properly implemented.
Even when users protect their account with strong passwords kept inaccessible to others, their data is securely encrypted as it is transmitted to and from the cloud service, and the cloud service has implemented best data security practices, the cloud service may still be obligated to release sensitive data when legally required by government. Implementing these measures may also be inconvenient for users, requiring them to provide authentication credentials each time they accesses cloud-based applications. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for managing encryption keys for single-sign-on applications.