Cloud optimize

Protect data in the public cloud with encryption tools

Tajudeen Abubakr looks at both existing and emerging data encryption tools which can help protect data in the public cloud.

One of the very fundamental challenges that must be addressed when considering public cloud services is data confidentiality. Organizations need to be confident that only authorized users have access to data when in transit, at rest, and in use.  This is where data encryption comes to the rescue.

Encryption tools

While encryption of data in transit is commonly available from public cloud service providers through use of https or SSL internet protocol connectivity, encryption is often non-existent while data is held in storage (at rest). This is one place where data remains vulnerable to various threat sources.  Unencrypted virtual disk volumes outside an organization's security control can easily be mounted to gain access to the data.

So, what encryption tools can organizations practically employ to protect data in the public cloud?

Well, for small scale use of IaaS (Infrastructure as a service) cloud service model, the whole virtual disk volume can be encrypted to protect data at rest by employing well known encryption tools such as Truecrypt or MS BitLocker - on Windows 7/2008 OS. Other operating systems such as Linux, UNIX are equipped with disk encryption capabilities as well to protect storage volumes. This capability is also available from cloud providers such as Amazon S3 storage .

As the virtual disk is encrypted prior to data transfer to the public cloud, the customer is in full control of the encryption key. This prevents unauthorized data access to the disk volume while being hosted in the cloud.

Key management however can get more challenging as you scale up with IaaS, especially if different encryption tools are being used. In addition, poor security implementation by vendors in SaaS (Software as a service)/PaaS (Platform as a service) cloud service models often leads to many customers sharing single unencrypted database storage.

Figure A: SaaS customers sharing single database instance (Image source: NIST Cloud computing synopsis - Draft-NIST-SP800-146)

And there is another issue: Even if the database is encrypted in a SaaS cloud, the encryption key resides with the service provider. A malicious insider with access to the encryption key can decrypt the data, making away with it without the customer's knowledge.

So how can you deploy encryption and avoid the key management pain at the same time?

Encryption cloud formation

There is indeed a silver lining appearing in the cloud horizon in the form of several new innovative products and services emerging to simplify data encryption.  These solutions truly ease the pain of encryption key management and put customers in control of their data security, most critically when adopting public cloud services. Let's take a look at a number of available options as categorized below. This is not an exhaustive list of cloud data encryption solutions but just a few examples of what is available to use.

Cloud-based encryption services

Just like managed security service subscription for antivirus, anti-spam and DDoS protections, data encryption is now available as services from a number of cloud vendors - Security as a Service (aka SecaaS). Data is stored with a cloud service provider while encryption service is provisioned through another service provider, fulfilling separation of duty security requirement. There are solutions available for protecting data in SaaS, PaaS or IaaS public cloud service models.

Example of such products include EnStratus, Trend Micro, Porticor, Credant

On-premise cloud security gateways

This category of data encryption solutions works like a web proxy for public cloud applications such as SaaS. There are also solutions available for PaaS and IaaS.  Unlike managed service cloud encryption solutions, cloud security gateways allow organizations to encrypt or tokenize their sensitive data before transmission to a public cloud. This has the benefit of meeting data residency security and regulatory requirement, keeping control of data encryption and key management in-house.

Examples of such products include Navajo VPS, CipherCloud, SafeNet, Voltage security, PerspecSys

Conclusion

The upshot is that both existing and emerging innovative encryption tools lower the security barrier for businesses to adopt public cloud and ultimately give organizations the power tools to retain control of their data security.

Organizations in their role as data custodians with accountability for data privacy and security must demand the right level of protection from their cloud service providers. Security by obscurity is not an option.

Data encryption and it's ecosystem (choice of algorithm, key length and key security management)  -- if correctly implemented and integrated with complimentary identity management systems such as BeyondTrust or Symplified plays the starring role in keeping data confidential, not only for in-house networks but also in the public cloud, mitigating risk of data loss from both external and insider threat sources like malicious attackers, potential rogue service provider administrators, or even the mischievous cloud co-tenants.

About

Tajudeen (Taj) Abubakr (CISSP, CISM, CISA, SABSA) is a certified information security manager with broad consulting experience in Security programmes delivery management, cloud computing, enterprise IS governance, risk & compliance (GRC). He is curre...

11 comments
garimagupta2001
garimagupta2001

i have to do some implementaide mention work with cloud computing so could anyone guide or give direction for the sme

Paul Ballard
Paul Ballard

Thanks for this article. It's just what I was searching for. I am always interested in this subject. Will bookmark it. I am Using Folder Lock for Cloud Encryption for 3 years and not seen any problem yet, now they are giving Free Online Backup and customer support is just like 24/7. Can anyone suggest me some other Software like Folder Lock for Encryption.

lenb
lenb

I like the cloud but I am very suspicious of it to the point that I don't even keep an address book in webmail. But, I do like the idea that data can be backed up in the cloud and that it can be made available from anywhere. But, my main concern has been confidentiality. I would also not be crazy about setting up encryption over the network. But, if I could create a TrueCrypt volume locally and have it automagically backed up to the cloud where I could get to it from any computer, that would be valuable. Anyone know if that is doable. I envision an automatic sync when I open it on my local machine. thanx Len

wizard57m-cnet
wizard57m-cnet

if using the "public cloud", why would you need encryption? What are you hiding? Terrorist plots? Narcotics trafficing? But seriously...throwing dollar signs around doesn't give your cloud argument any more credence than the last junk post you made in regards to it.

Michael Kassner
Michael Kassner

All sorts of expenses are getting pulled into the mix. Have you run any financials to see if the ROI is still positive?

AnsuGisalas
AnsuGisalas

I'm pretty sure you can have automagic sync of any kind of file. Having the truecrypt volume automagically made, as from a schedule, and pushed to the sync-from folder might require a little work, but only a little.

lenb
lenb

Right. So, if you are not doing anything illegal at home, why can't I just walk through anytime I want?

seanferd
seanferd

That one, among others, about our putative savior, The Cloud.

wizard57m-cnet
wizard57m-cnet

Guess you could try to walk through...might have to be carried out though.

wizard57m-cnet
wizard57m-cnet

You've completely misunderstood my post...I do not trust the "cloud" for storing my data...my original comment was sort of an attempt at sarcasm, guess it failed? Anyway...I've posted numerous negative comments about this cloud junk. I keep my data on my server, no storm clouds in its forecast!

lenb
lenb

True that your home is not a public cloud. You protect your privacy and your belongings in your home. But you are saying that your data really doesn't have the same kind of value and anyone could "walk through it" and you wouldn't mind. I do.