This content is part of the Essential Guide: Combat the latest cloud security challenges and risks

Fill security gaps with centralized cloud data encryption

Most cloud providers offer data encryption services, but for some users, those services aren't enough to fully protect enterprise data in the cloud.

Data encryption, for both data at rest and in motion, should be a standard practice in cloud computing. But despite the nearly ubiquitous availability of encryption within the enterprise and through cloud providers, common encryption technologies are not always enough for some organizations.

Some businesses, for example, are subject to strict compliance regulations, such as the Health Insurance Portability and Accountability Act, which require formal agreements between healthcare businesses and their partners, including cloud providers. And while cloud providers may meet some of a business's encryption needs, many enterprises are turning to cloud security providers to help fill in the gaps.

The benefits of centralized cloud data encryption

Centralized cloud data encryption providers such as Vaultive and CipherCloud offer enterprise-grade technology that enables businesses to encrypt their data while it is still on the trusted corporate network. This ensures that all data sent to and stored on the cloud is encrypted. Only the highest-level administrator of the cloud service can access encrypted data. And if the cloud provider is hacked or required to release data for legal reasons, only encrypted data is released.

CipherCloud for Amazon Web Services (AWS) is an encryption service specifically designed for the AWS cloud with support for Relational Database Service and Redshift. The service uses AES 256-bit encryption paired with centralized key storage and management, and stores the encryption keys on CipherCloud servers. CipherCloud encryption is implanted on the application driver where it encrypts data locally before moving it between points.

CipherCloud allows admins to encrypt data on a per-field basis. For example, an online sales system might encrypt only payment information using the fine-grained CipherCloud tools, while leaving other data, such as a shipping address, in plain text.

An advanced feature of CipherCloud allows administrators to generate encrypted data that uses the same data type and size of the unencrypted data. This is especially important when businesses want the protection of encryption, but do not want to modify their database schemas.

Sometimes, a business will want to use a separation of duties when handling encryption. CipherCloud’s key management functions mitigate the risk of an insider having unacceptable access to keys and, therefore, encrypted data.

Similar to CloudCipher, Vaultive has a specialized service for a single cloud provider -- Microsoft. Vaultive offers encryption for a range of Microsoft services, including Office 365, Yammer, OneDrive and Dynamics CRM Online.

Vaultive operates as a stateless layer that serves as a door between a cloud service and user endpoints. For example, Vaultive, along with partner BitTitan, encrypts data for Office 365 as it enters the cloud. From that point on, the data remains encrypted until it returns to an end user with the authority to view it. Data traveling to and from the Office 365 cloud always passes through a network encryption layer managed by BitTitan.

Prepare for centralized encryption risks

Despite the benefits of centralized encryption services, they can also introduce a potential point of failure in an organization's infrastructure. If a gateway is down or an encryption software as a service (SaaS) is unavailable, you can't send new encrypted data to the cloud. In addition, your encrypted data in the cloud will be inaccessible until the problem is resolved.

One option when deploying an on-premises gateway is to use its high availability and scalability. To do this, run multiple gateways and either load balance between them or keep one on standby. Alternatively, if you can tolerate a longer time to recovery, you could bring up a new gateway manually when the primary gateway fails.

When using encryption SaaS, be sure the SLAs meet your expectations for scalability and availability. The SLA should also specify compensation for failures to meet agreed service levels.

Centralized cloud data encryption services are an important part of the cloud ecosystem and will be especially helpful to companies with demanding compliance regulations. However, always anticipate the risk of temporary failures in the process and plan accordingly.

About the author:
Dan Sullivan holds a master of science degree and is an author, systems architect and consultant with more than 20 years of IT experience. He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence. He has worked in a broad range of industries, including financial services, manufacturing, pharmaceuticals, software development, government, retail and education. Sullivan has written extensively about topics that range from data warehousing, cloud computing and advanced analytics to security management, collaboration and text mining.

Next Steps

Seven cloud security risks to avoid

Test your knowledge with a cloud security quiz

Recent breaches highlight need for cloud data encryption

Dig Deeper on Cloud security tools