Hello again!

I’m writing to share a recent development that has quietly reignited an important conversation about cloud security, encryption, and something we don’t talk about enough, that is, who actually controls your data in practice.

This isn’t a “cloud is bad” piece, and it’s certainly not panic-inducing. But it is a timely reminder that your risk appetite and the sensitivity of your information should directly influence how much control you retain over encryption keys.

What has happened

In January, reporting revealed that Microsoft provided law enforcement with the ability to access BitLocker-encrypted data as part of a lawful investigation.

The key detail here is not the investigation itself as lawful access requests are not new, this is about how access was enabled, and how it affects you.

In scenarios where Microsoft (or Amazon, Google or anyone else) manages the encryption keys, they are technically able to provide access to encrypted data when legally compelled.

That’s not a breach, a backdoor, or a secret conspiracy, this it’s simply the reality of cloud-managed encryption, and it's written in the small print when you subscribe, go take a look.

If a provider holds the keys, they can be required to use them.

Why this matters more than people think

For many organisations, this is absolutely fine.

If you are processing low-sensitivity data, or your regulatory obligations explicitly allow for provider-managed encryption, the risk is often acceptable. Cloud platforms are still incredibly secure, well-engineered, and far safer than most on-prem alternatives.

However, for organisations handling:

• Highly sensitive personal data

• Regulated datasets

• Intellectual property

• Commercially confidential material

• Data that could cause real harm if disclosed

…this becomes a risk decision.

Encryption only truly protects data from third parties if the organisation, and not the provider controls the keys.

The difference between encryption and control

This is the subtle but critical point.

There is a world of difference between:

“our data is encrypted” and “we decide who can decrypt it”

Provider-managed keys are convenient, scalable, and perfectly adequate for many use cases, but there are times when convenience is outmatched by confidentiality concerns:

Customer-managed keys shift that balance.

When you manage your own keys:

• The provider cannot independently decrypt your data

• Access requests become your decision point

• Legal demands are routed through you, not silently executed

• The security boundary moves closer to your organisation

How this may affect you

You may want to consider customer-managed keys if:

• Your data classification is high

• Your regulatory environment is strict or ambiguous

• You operate in healthcare, defence, legal, or financial services

• You have contractual commitments around data access

• You need demonstrable control over confidentiality

Equally, if your data is low-risk, short-lived, or already public-facing, the operational overhead of key management may outweigh the benefit. That’s a valid decision to come to.

Kafico’s position and recommended approach

We don’t believe in blanket rules or one-size-fits-all advice. This is about alignment between risk appetite, data sensitivity, and technical design.

Our recommended approach is simple:

Classify your information properly

If everything is marked “confidential”, nothing really is. Clear classification drives sensible decisions about encryption, access, and key ownership. Talk to us about what this means in practice and how to adopt it in a pragmatic way.

Match key management to risk

Low-risk data can live happily with provider-managed keys. High-risk data deserves higher assurance and tighter control.

Understand your legal exposure

Ask where lawful access requests land. With the provider? Or with you?

Design for governance, not fear

This isn’t about hiding from regulators or law enforcement, this is it’s about ensuring access to sensitive data is deliberate, controlled and explainable to stakeholders.

What happens next

Kafico will continue to monitor developments in cloud encryption, lawful access, and key management models. As vendors evolve their offerings and guidance, we’ll translate what actually matters into plain English.

If you’d like us to review your current encryption model, data classification scheme, cloud risk posture, or check whether customer-managed keys are worth the effort for your organisation - give me a shout!

Jeff Pullen, CISSP, CCSP

Information Security Consultant

Kafico