One of the very fundamental challenges that must be addressed when considering public cloud services is data confidentiality. Organizations need to be confident that only authorized users have access to data when in transit, at rest, and in use. This is where data encryption comes to the rescue.
While encryption of data in transit is commonly available from public cloud service providers through use of https or SSL internet protocol connectivity, encryption is often non-existent while data is held in storage (at rest). This is one place where data remains vulnerable to various threat sources. Unencrypted virtual disk volumes outside an organization's security control can easily be mounted to gain access to the data.
So, what encryption tools can organizations practically employ to protect data in the public cloud?
Well, for small scale use of IaaS (Infrastructure as a service) cloud service model, the whole virtual disk volume can be encrypted to protect data at rest by employing well known encryption tools such as Truecrypt or MS BitLocker - on Windows 7/2008 OS. Other operating systems such as Linux, UNIX are equipped with disk encryption capabilities as well to protect storage volumes. This capability is also available from cloud providers such as Amazon S3 storage .
As the virtual disk is encrypted prior to data transfer to the public cloud, the customer is in full control of the encryption key. This prevents unauthorized data access to the disk volume while being hosted in the cloud.
Key management however can get more challenging as you scale up with IaaS, especially if different encryption tools are being used. In addition, poor security implementation by vendors in SaaS (Software as a service)/PaaS (Platform as a service) cloud service models often leads to many customers sharing single unencrypted database storage.
Figure A: SaaS customers sharing single database instance (Image source: NIST Cloud computing synopsis - Draft-NIST-SP800-146)
And there is another issue: Even if the database is encrypted in a SaaS cloud, the encryption key resides with the service provider. A malicious insider with access to the encryption key can decrypt the data, making away with it without the customer's knowledge.
So how can you deploy encryption and avoid the key management pain at the same time?
Encryption cloud formation
There is indeed a silver lining appearing in the cloud horizon in the form of several new innovative products and services emerging to simplify data encryption. These solutions truly ease the pain of encryption key management and put customers in control of their data security, most critically when adopting public cloud services. Let's take a look at a number of available options as categorized below. This is not an exhaustive list of cloud data encryption solutions but just a few examples of what is available to use.
Cloud-based encryption services
Just like managed security service subscription for antivirus, anti-spam and DDoS protections, data encryption is now available as services from a number of cloud vendors - Security as a Service (aka SecaaS). Data is stored with a cloud service provider while encryption service is provisioned through another service provider, fulfilling separation of duty security requirement. There are solutions available for protecting data in SaaS, PaaS or IaaS public cloud service models.
On-premise cloud security gateways
This category of data encryption solutions works like a web proxy for public cloud applications such as SaaS. There are also solutions available for PaaS and IaaS. Unlike managed service cloud encryption solutions, cloud security gateways allow organizations to encrypt or tokenize their sensitive data before transmission to a public cloud. This has the benefit of meeting data residency security and regulatory requirement, keeping control of data encryption and key management in-house.
The upshot is that both existing and emerging innovative encryption tools lower the security barrier for businesses to adopt public cloud and ultimately give organizations the power tools to retain control of their data security.
Organizations in their role as data custodians with accountability for data privacy and security must demand the right level of protection from their cloud service providers. Security by obscurity is not an option.
Data encryption and it's ecosystem (choice of algorithm, key length and key security management) -- if correctly implemented and integrated with complimentary identity management systems such as BeyondTrust or Symplified plays the starring role in keeping data confidential, not only for in-house networks but also in the public cloud, mitigating risk of data loss from both external and insider threat sources like malicious attackers, potential rogue service provider administrators, or even the mischievous cloud co-tenants.
Tajudeen (Taj) Abubakr (CISSP, CISM, CISA, SABSA) is a certified information security manager with broad consulting experience in Security programmes delivery management, cloud computing, enterprise IS governance, risk & compliance (GRC). He is currently employed as Information security specialist for a global financial services organization in the UK.