Thanks to cloud computing, organisations of all shapes and sizes have benefitted from the flexibility of IT capacity without the cost and challenges of maintaining their own infrastructure. Hyperscale public cloud providers and SaaS tools to help with a vast array of business processes have been a particular boon for small and fast-growing organisations, helping them spin up the kind of IT resource that just a few decades ago would have taken many months and significant financial cost to build and maintain themselves.Using cloud computing effectively and safely, however, requires care. One of the big draws of cloud services, is the ability to scale resources up and down as needed. Maybe theres a project starting for a few months that will require some data processing and analysis, or there are seasonal demands for services which need additional resource. The cloud allows businesses to meet these needs without having to pay to keep that spare capacity around. But the benefits of only paying for whats needed are only possible if the business keeps on top of where their data is stored, and in what tier rather than falling into the trap of setting and forgetting.The same applies for securing this data. Under most public cloud provider contracts there is a joint responsibility between the cloud provider and the customer for the security and availability of the stored data. This can vary widely depending on the type of service that has been procured, so it is important for all organisations to think carefully about which data is best stored where, and at what security level.In practice this is easier said than done. Not every organisation has the technical knowledge in place to keep on top of configuring and managing their cloud services no matter how critical they might be to keeping the organisation running. Other may think they have security through obscurity being just one of many millions of public cloud customers or because theyve not experienced an attack yet, as nave as that may be.Organisations may also be unclear on the details of the contracts theyve signed they are still legally responsible for the security of their own data, wherever its stored. Public cloud providers may act to quarantine affected encryption keys if a breach is discovered, but if public cloud credentials are compromised and data is held for ransom, theres little providers are legally responsible for.Recent attacks on cloud storage instances underscore the importance of getting this right. One cyber crime group dubbed Codefinger, for example, have attacked at least two victims by stealing AWS customer account credentials and using the built-in encryption to lockdown their data. This is made possible by the fact that many companies arent regularly monitoring and auditing the encryption keys they have in place, revoking permissions for those that are no longer required.There are also duplication and visibility challenges, with over half (53%) of organisations still having five or more key management systems in place, according to the 2024 Thales Data Threat Report. Encryption key management needs to be taken as seriously as all the other cybersecurity measures an organisation has in place.Luckily, effective practices around the generation, storage and use of encryption keys have been clearly defined for some time. The strength of the keys chosen, for example, needs to align with the sensitivity of the data. Some applications may benefit from the use of RSA key pairs, so that third parties can authenticate with a public key, while the data remains encrypted with a private key.Maintaining a separation of duties is also advisable, so that those creating and managing the keys do not also have access to the protected data. Dividing responsibilities in this way reduces the risk of a successful attack via social engineering or credential compromise, which could then give threat actors full administrative access. Tracking and coordinating the use of encryption keys is also easier if they are stored in a secure vault with specific permissions, or if a Hardware Security Module (HSM) is used to store the master keys. Its a good idea to limit the amount of data that can be encrypted with a single key, as well as to mandate a crypto period for every key so that newly encrypted data can only be accessed with the new key version.Read more about cloud securityGoogle's acquisition of Wiz for $32 billion highlights the importance of cloud-native security as organisations transition to microservices and containerisation.In this guide, IT security and industry experts share their top recommendations for protecting public cloud deployments.Cloud migration can seem daunting to security teams. Following these essential practices can help them move infrastructure and applications to the cloud safely and securely.When you consider that an organisation may have millions of keys and operations taking place that need managing across multiple environments and for structured and unstructured data alike, having a centralised system is the best way to apply these practices consistently and rigorously. There are also increasing numbers of regulations and standards around the world that mandate strict control over encryption keys so these practices are no longer just a nice to have, they are in fact the table stakes for doing business.The value of having IT resources available anytime, anywhere via the cloud has been immeasurable for modern business, but in the race to take advantage of these services, businesses must not forget that the legal liability for the security of their data remains with them.Rob Elliss is EMEA vice president, data and application security at Thales.