The proliferation of cloud technology certainly hasn't hurt the security industry. As more people climb aboard...
the cloud bandwagon, data security ranks at the top of every adopter's list, regardless of the platform. However, many IT pros place less of a burden on security because of increased throughput and stronger encryption standards.
While advances in security and cloud technology are robust, security pros should be careful when moving data to the cloud and pay attention to when, where and how cloud-bound data is encrypted.
There are a few ways to encrypt cloud-bound data, depending on your cloud stage: before, during or after the move to cloud.
Data encryption before taking the cloud plunge
It seems obvious to encrypt data before moving it to the cloud. But the data that must be encrypted before a move to the cloud is data at rest. The encryption of data in transit -- while extremely important -- may not suffice in every circumstance.
For example, the HeartBleed vulnerability took many security pros by surprise because HTTPS/SSL was previously considered rock solid. Admittedly, HeartBleed was more of an Apache Web server vulnerability than HTTPS, but many cloud providers' management interfaces reside on similar servers. However, data encrypted before it reaches the Internet is in a better position to defend against HeartBleed.
The HeartBleed vulnerability focused on stealing login credentials rather than actual data, but access to unencrypted data is trivial once login information has been compromised. Accessing data that was encrypted prior to an HTTPS login is a different matter entirely.
Encrypting data during a move to the cloud
Encrypting data in transit to the cloud is vital for security and its importance cannot be overstated. Furthermore, encrytping in-transit communications is becoming so popular that a reversal of the current trend seems highly unlikely.
Many times -- though not always -- cloud data encryption in transit requires trust in the vendor destination or third-party technology. The cloud vendor or third party must be equally dedicated to security; solely relying on the encryption of data in-transit is risky business.
Data encryption comes full circle after the cloud
Data encryption following a move to the cloud brings the issue of data at rest full circle. At this point, the cloud provider is responsible for data encryption. However, several issues arise when enterprises rely on the cloud provider for data security -- including the issue of key ownership.
Several cloud providers, such as Amazon Web Services and Google Cloud, have solid security mechanisms replete with encrypted files, SSL login for management and disaster recovery. But, if the data resides on AWS servers Google cloud, who owns the data and encryption keys?
It only takes one lawsuit against a cloud provider to expose proprietary data -- encrypted or otherwise -- during legal proceedings. Admins need to have alternatives to relying on cloud providers for security in the event of data compromise. Whatever method is chosen, power brokers within each organization should make tolerable levels of risk clear.
About the author:
Brad Casey is a former SearchSecurity.com expert. He holds an MS in Information Assurance from the University of Texas at San Antonio and has extensive experience in the areas of penetration testing, public key infrastructure, VoIP and network packet analysis. He is also knowledgeable in the areas of system administration, Active Directory and Windows Server 2008. He spent five years doing security assessment testing in the U.S. Air Force, and in his spare time, you can find him looking at Wireshark captures and playing with various Linux distros in VMs.
HP cloud encryption eases path for sensitive data
HeartBleed bug teaches data security lessons
Hackers attack public cloud's reputation