Skip to main content

How to take charge of data encryption in the cloud era

(Image credit: Image Credit: Yuri Samoilov / Flickr)

Gradually but surely, cloud infrastructure and services are penetrating deeper into the corporate IT environment. Cloud computing is changing everything from how businesses operate, to how they connect, to how they develop and deliver software and services.

As organisations increase the amount of off-premise IT infrastructure they use, maintaining a high level of security and control over digital assets in the cloud becomes critical.

Security has been a key concern hindering the cloud migration trend in recent years. According to a 2017 cloud security survey conducted by Crowd Research Partners, security topped the list of cloud inhibitors, with 33 per cent of respondents marking security risks as one of the biggest barriers to cloud adoption in their organisations.

And while cloud security has many facets, one of the largest, most visible issues is the security and privacy of sensitive data. A range of highly publicised data leaks in recent years have resulted in financial loss, legal repercussions, resignation of top executives and damaged brand reputation. These events serve as an ongoing reminder of the importance of data security in the cloud.

Keeping secrets safe in the cloud

Without underestimating the significance of security, enforcing it on any data that reaches the cloud likely isn’t a practical or prudent goal for the typical cloud-minded organisation.

To implement cloud data security in an effective manner, the first step businesses should take is to assess what secrets are kept there that need protection. Secrets are essentially any data that if exposed would cause harm to the business.

Each organisation may own different types of secrets with various levels of sensitivity, including:

  • Sensitive Security Information (SSI) – Confidential business materials such as internal research and development documents or IT vulnerability assessment reports
  • Personally Identifiable Information (PII) – Any information that pertains to an individual, including names, addresses and social security numbers.
  • IT Systems Security Information – The information that makes up the technology infrastructure of a company, such as encryption keys, certificates, passwords, and cloud service access credentials.

Once the “what to protect” has been defined, the next step is “how to protect.” Among the tools and techniques available, encryption plays a vital role as a fundamental data security enabler.

Encryption has been used in IT for years to securely transmit sensitive information and store it in untrusted environments. Today, it is a mature technology with widely used, field-proven algorithms and methods. However, the implementation of encryption in the cloud does raise new challenges. It’s critical for organisations to be aware of potential security weaknesses that put their data at risk.

The main encryption pitfalls

Repeating the old adage – security is only as strong as its weakest link. When it comes to protecting their data in the cloud, it’s essential that organisations address weak links in their encryption schemes to prevent breaches with potentially devastating consequences.

Following are some classic encryption pitfalls that businesses should avoid:

Not encrypting data in transit: If data is left unencrypted while in transit at any point, anyone could intercept and steal it. In transit can be between the cloud and a company’s on-premises data center or user devices, or between two separate clouds. It can also be within the cloud environment, for example in communication between two applications running on different servers.

Not encrypting data at rest: If data is not encrypted at rest, hackers could compromise it by gaining access to the storage. Examples of data leaks resulting from unprotected storage abound. One recent case was with Booz-Allen Hamilton, who left over 60,000 U.S. defense files including highly sensitive data, exposed on a publicly accessible Amazon cloud server.

Not protecting the encryption keys: One of the fundamental mistakes organisations make with encryption is leaving out protection of the keys. Encrypting data without proper key protection is like locking money in a safe and leaving the key on the counter for anyone to take. Even worse is insufficient protection of master keys, which can grant access to all of a company’s encryption keys in the cloud. In the Accenture data breach discovered in late 2017, for example, an unsecured Amazon Web Services (AWS) storage bucket revealed the company’s master access key for their account with AWS’ Key Management Service, potentially exposing all the keys managed in that service.

Time for change

What should organisations do to solve these encryption challenges to ensure their security strategy can withstand modern-day threats? It starts with the basics: setting access controls to enforce authorised, authenticated access to cloud resources, and implementing encryption to protect sensitive data at all stages. Secure data communication technologies such as IPSec and TLS ensure that data cannot be stolen while in transit. To protect data at rest organisations should determine their encryption implementation, possibly including a mix of file, disk, database, and application-level encryption, based on where the data resides.

It’s also essential that IT focuses on protection and management of encryption keys. Traditional key protection methods, designed for use in enterprise networks, use physical hardware security modules (HSMs) to tightly control access to keys. With cloud adoption growing, several alternative key protection solutions are evolving to conform with the elastic software-defined environment of the cloud, with varied levels of control and usability:

  • Cloud service providers commonly offer native key management services that are integrated with their other native services, for instance database and storage, to enable data encryption in those 
  • Some also offer Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) options, which give businesses some additional control by allowing them to export private keys from an on-premises HSM to the native cloud service (in the former case) or perform all cryptographic operations in the on-premises HSM (in the latter).
  • Cloud HSM services allow companies to use private partitions of a cloud-managed HSM for data encryption and other cryptographic uses by their applications running on the cloud platform.
  • There are new software-based approaches that give businesses sole control of cryptographic keys used in cloud infrastructure and applications. For example, secure multi-party computation can be used to enable secure use of keys in the cloud without the key material ever being exposed.

Looking to the future

Traditional IT boundaries are a thing of the past and cloud computing is here to stay. The more organisations move sensitive and high-value data to the cloud, the more cloud services will become lucrative targets for attackers. This in turn will likely drive attackers to carry out more sophisticated hacks on cloud IaaS and SaaS, with increasingly damaging results. Organisations must be proactive about tracking their secrets everywhere and applying proper security, with encryption as a foundational element.

Hybrid cloud infrastructure is also part of the new business reality. Most organisations will use a combination of on-premise with multiple cloud workloads on different public or private clouds. To be both agile and secure, it will be critical for companies to have full control of their encryption keys with centralised key management, and consistent security policies that they can adapt and enforce across any hybrid cloud deployment.

As companies continue to enhance their encryption strategies, they must consider crypto-agility, which enables businesses to quickly upgrade data protection when needed. Any time vulnerabilities are exposed in deployed cryptographic keys and algorithms, or new cryptographic schemes and use cases arise, such as blockchain, changes will need to be made. It is also critical for organisations to be able to react to future threats to encryption such as quantum computing. With the rapid technological shifts taking place in digital IT, organisations should keep crypto-agility top of mind to respond effectively to new risks and maintain data safety as they evolve their businesses.

In the modern era, there is no such thing as future-proof IT, but with the right mindset, security professionals can continue to evolve their strategies to ensure that no matter where data goes next, they are one step ahead.

Oz Mishli, VP of Products at Unbound
Image Credit: Yuri Samoilov / Flickr

Oz Mishli, VP of Products at Unbound, is a cybersecurity expert, specialising in malware research and fraud prevention. He’s held both business and tech roles in the industry.