Upload
cloudsafe
View
216
Download
0
Embed Size (px)
Citation preview
8/7/2019 Ensuring Data Security With Cloud Encryption
http://slidepdf.com/reader/full/ensuring-data-security-with-cloud-encryption 1/3
14.03.11 15:03Ensuring data security with cloud encryption
Seite 1 von 3http://searchcloudsecurity.techtarget.com/tip/Ensuring-data-security-with-cloud-encryption?vgnextfmt=print
SearchCloudSecurity.com
Ensuring data security with cloud encryption
Cryptography has been with us since the dawn of human civilization. People have wanted tokeep sensitive information from prying eyes long before the invention of the complex,
computer-based encryption methods that we utilize today. The ancient Greek protected their
secret messages by tattooing them on the shaved head of a messenger. The messenger’s hair
would grow back while traveling to their destination and render the message invisible. The
receiver of message would just need to know a good barber in order to read the secret
message upon arrival.
So what does this have to do with companies putting sensitive data in the cloud? Just like
the ancient Greek, we are trying to keep our secrets safe from prying eyes. The methods
have changed, but the goal remains the same. One of the best ways to ensure confidential
data is protected in the cloud is to utilize encryption for data in transit and data at rest.
There are still potential issues with encryption that need to be considered when investigating
cloud services. Almost all cloud service providers support encryption for data in transit, but
few offer support for data at rest. The cloud encryption capabilities of the service provider
need to match the level of sensitivity of the data being hosted.
Cloud encryption options
The basic business model of the typical cloud services provider is based on the idea of
scalability: The more customers that can utilize shared resources the better the profit margin
for the cloud services provider. This idea works in reverse as well: The more customers that
can utilize shared resources, the lower the cost paid by each of the customers. These facts
play a critical role in the decision of the cloud provider to offer encryption services.
Encryption consumes more processor overhead, so it lowers the number of customers per
resource and increases overall costs. Most cloud providers will only offer basic encryption
on a few database fields, such as passwords and account numbers, for this reason. There areusually options available from the cloud provider to encrypt the entire database, but this will
dramatically increase cost to the point where cloud hosting is more expensive than internal
hosting.
Some cloud providers have been offering alternatives to encryption that don’t have the same
performance impact. These techniques include redacting or obfuscating confidential data.
This can sound appealing, but is just another form of “security through obscurity:” Neither
technique is effective in securing confidential data because both are easily bypassed.
Another cloud encryption alternative that may be offered by service providers in order to
8/7/2019 Ensuring Data Security With Cloud Encryption
http://slidepdf.com/reader/full/ensuring-data-security-with-cloud-encryption 2/3
14.03.11 15:03Ensuring data security with cloud encryption
Seite 2 von 3http://searchcloudsecurity.techtarget.com/tip/Ensuring-data-security-with-cloud-encryption?vgnextfmt=print
reduce the encryption performance penalty will be its own custom encryption solution. This
is a major red flag for potential customers for several reasons. The current encryption
standards have been thoroughly tested and verified over many years and by many brilliant
engineers and cryptographers. A cloud service provider is unlikely to fund this level of
development of a proprietary encryption standard and won’t receive the same level of public
scrutiny and feedback as the currently accepted standards. This creates the strong possibility
of a cryptographic mistake, which could leave the customer data vulnerable to exposure.
Proprietary encryption standards should be avoided at all costs.
The cloud provider that offers a standard-based encryption solution may still have other risks
that need to be considered. Encrypted data is only as secure as the private key used to
encrypt it. Key management becomes a critical issue and the cloud provider must have
policies and procedures in place for storage, generation and archival of private keys. It’s
important to keep in mind that anyone that possesses that private key has access to your
confidential data.
Additional cloud encryption considerations
There are still other operational encryption issues that must be considered when utilizing a
cloud service provider. These operational processes include the policies and procedures for
the encryption of tape backups and other removable media, such as DVD-R and USB
devices. Your data may be safely encrypted in the provider’s database, but if it uses
unencrypted media in its operations you may still be at risk of exposure; it’s important to
understand these operational risks before putting your data in the provider’s care.
Finally, there are still other areas where technology does not permit encryption. The actual
processing of the data by the cloud provider will require that the data be decrypted at some
point. This may be changing with the advent of homomorphic encryption, which was
demonstrated by IBM in 2009 and allowed data to be processed while still being encrypted.
This is a future technology, but it would certainly increase the security capabilities of cloud
providers.
Cloud encryption and compliance
So the million-dollar question becomes: “Should regulated data be put into the cloud?” It’s
certainly possible to maintain compliance with regulations while utilizing cloud services.
Encryption plays a big role in compliance as many regulations require specific data elements
to be encrypted. This type of requirement is present in GLBA, PCI DSS and HIPAA, to
name a few. The most important guidance on encryption is publically available from NIST
800-111 and FIPS-140-2. These standards can help you evaluate the encryption capabilities
of a cloud provider for compliance with regulations.
Encryption is a powerful tool that can be used effectively to protect a company’s
8/7/2019 Ensuring Data Security With Cloud Encryption
http://slidepdf.com/reader/full/ensuring-data-security-with-cloud-encryption 3/3
14.03.11 15:03Ensuring data security with cloud encryption
Seite 3 von 3http://searchcloudsecurity.techtarget.com/tip/Ensuring-data-security-with-cloud-encryption?vgnextfmt=print
confidential data in the cloud. It’s important for a company to investigate and understand
how the cloud provider utilizes encryption in their operational procedures. Only then can a
company confidently utilize cloud providers knowing that their confidential data is protected
by encryption. Modern encryption algorithms far surpass the protections that were available
to the ancient Greeks for their sensitive data --and no one will need their head shaved.
About the author:
Joseph Granneman, CISSP, has over 20 years in information technology and security with
experience in both healthcare and financial services. He has been involved in the Health
Information Security and Privacy Working Group for Illinois, the Certification Commission
for Health Information Technology (CCHIT) Security Working Group, and is an active
InfraGard member.
27 Jan 2011
All Rights Reserved,Copyright 2011 - 2011, TechTarget | Read our Privacy Statement