Encryption on multi-tenant platforms - regulation?
I have a query regarding standards and regulations.
I have a scenario where data for a service provider will be housed on a private cloud and this needs to be encrypted. One solution considered will only issue one key per service provider so the data for all clients under that service provider will be encrypted by the same key.
Is there a standard or regulation that specifies that sensitive data for all clients must be partitioned and encrypted using individual keys? Is so, what is the standard.
From experience - I'd say - no. I know HIPAA, PCI, and other country specific government enforced data protection frameworks but have never seen encryption at rest as a must for tenant segregation. This thing is usually contractually agreed - client->service provider, which means that each service provider would need to ensure that the private cloud they would use to store their clients' data has the capability to encrypt data at rest. When the service provider is given 1 key for their space though, they would further need to implement another layer of encryption in order to provide their clients with encryption at rest with different keys for each.