8/7/2019 Ensuring Data Security With Cloud Encryption

http://slidepdf.com/reader/full/ensuring-data-security-with-cloud-encryption 1/3

14.03.11 15:03Ensuring data security with cloud encryption

Seite 1 von 3http://searchcloudsecurity.techtarget.com/tip/Ensuring-data-security-with-cloud-encryption?vgnextfmt=print

SearchCloudSecurity.com

Ensuring data security with cloud encryption

Cryptography has been with us since the dawn of human civilization. People have wanted tokeep sensitive information from prying eyes long before the invention of the complex,

computer-based encryption methods that we utilize today. The ancient Greek protected their

secret messages by tattooing them on the shaved head of a messenger. The messenger’s hair

would grow back while traveling to their destination and render the message invisible. The

receiver of message would just need to know a good barber in order to read the secret

message upon arrival.

So what does this have to do with companies putting sensitive data in the cloud? Just like

the ancient Greek, we are trying to keep our secrets safe from prying eyes. The methods

have changed, but the goal remains the same. One of the best ways to ensure confidential

data is protected in the cloud is to utilize encryption for data in transit and data at rest.

There are still potential issues with encryption that need to be considered when investigating

cloud services. Almost all cloud service providers support encryption for data in transit, but

few offer support for data at rest. The cloud encryption capabilities of the service provider

need to match the level of sensitivity of the data being hosted.

Cloud encryption options

The basic business model of the typical cloud services provider is based on the idea of 

scalability: The more customers that can utilize shared resources the better the profit margin

for the cloud services provider. This idea works in reverse as well: The more customers that

can utilize shared resources, the lower the cost paid by each of the customers. These facts

play a critical role in the decision of the cloud provider to offer encryption services.

Encryption consumes more processor overhead, so it lowers the number of customers per

resource and increases overall costs. Most cloud providers will only offer basic encryption

on a few database fields, such as passwords and account numbers, for this reason. There areusually options available from the cloud provider to encrypt the entire database, but this will

dramatically increase cost to the point where cloud hosting is more expensive than internal

hosting.

Some cloud providers have been offering alternatives to encryption that don’t have the same

performance impact. These techniques include redacting or obfuscating confidential data.

This can sound appealing, but is just another form of “security through obscurity:” Neither

technique is effective in securing confidential data because both are easily bypassed.

Another cloud encryption alternative that may be offered by service providers in order to

8/7/2019 Ensuring Data Security With Cloud Encryption

http://slidepdf.com/reader/full/ensuring-data-security-with-cloud-encryption 2/3

14.03.11 15:03Ensuring data security with cloud encryption

Seite 2 von 3http://searchcloudsecurity.techtarget.com/tip/Ensuring-data-security-with-cloud-encryption?vgnextfmt=print

reduce the encryption performance penalty will be its own custom encryption solution. This

is a major red flag for potential customers for several reasons. The current encryption

standards have been thoroughly tested and verified over many years and by many brilliant

engineers and cryptographers. A cloud service provider is unlikely to fund this level of 

development of a proprietary encryption standard and won’t receive the same level of public

scrutiny and feedback as the currently accepted standards. This creates the strong possibility

of a cryptographic mistake, which could leave the customer data vulnerable to exposure.

Proprietary encryption standards should be avoided at all costs.

The cloud provider that offers a standard-based encryption solution may still have other risks

that need to be considered. Encrypted data is only as secure as the private key used to

encrypt it. Key management becomes a critical issue and the cloud provider must have

policies and procedures in place for storage, generation and archival of private keys. It’s

important to keep in mind that anyone that possesses that private key has access to your

confidential data.

Additional cloud encryption considerations

There are still other operational encryption issues that must be considered when utilizing a

cloud service provider. These operational processes include the policies and procedures for

the encryption of tape backups and other removable media, such as DVD-R and USB

devices. Your data may be safely encrypted in the provider’s database, but if it uses

unencrypted media in its operations you may still be at risk of exposure; it’s important to

understand these operational risks before putting your data in the provider’s care.

Finally, there are still other areas where technology does not permit encryption. The actual

processing of the data by the cloud provider will require that the data be decrypted at some

point. This may be changing with the advent of homomorphic encryption, which was

demonstrated by IBM in 2009 and allowed data to be processed while still being encrypted.

This is a future technology, but it would certainly increase the security capabilities of cloud

providers.

Cloud encryption and compliance

So the million-dollar question becomes: “Should regulated data be put into the cloud?” It’s

certainly possible to maintain compliance with regulations while utilizing cloud services.

Encryption plays a big role in compliance as many regulations require specific data elements

to be encrypted. This type of requirement is present in GLBA, PCI DSS and HIPAA, to

name a few. The most important guidance on encryption is publically available from NIST

800-111 and FIPS-140-2. These standards can help you evaluate the encryption capabilities

of a cloud provider for compliance with regulations.

Encryption is a powerful tool that can be used effectively to protect a company’s

8/7/2019 Ensuring Data Security With Cloud Encryption

http://slidepdf.com/reader/full/ensuring-data-security-with-cloud-encryption 3/3

14.03.11 15:03Ensuring data security with cloud encryption

Seite 3 von 3http://searchcloudsecurity.techtarget.com/tip/Ensuring-data-security-with-cloud-encryption?vgnextfmt=print

confidential data in the cloud. It’s important for a company to investigate and understand

how the cloud provider utilizes encryption in their operational procedures. Only then can a

company confidently utilize cloud providers knowing that their confidential data is protected

by encryption. Modern encryption algorithms far surpass the protections that were available

to the ancient Greeks for their sensitive data --and no one will need their head shaved.

About the author:

Joseph Granneman, CISSP, has over 20 years in information technology and security with

experience in both healthcare and financial services. He has been involved in the Health

Information Security and Privacy Working Group for Illinois, the Certification Commission

for Health Information Technology (CCHIT) Security Working Group, and is an active

InfraGard member.

27 Jan 2011

All Rights Reserved,Copyright 2011 - 2011, TechTarget | Read our Privacy Statement