By: Mike Shields
There are two types of applications: those that have moved to the cloud and those that have yet to move to the cloud.
Bold claim? We don’t think so. The US Government created and began implementing the Cloud First policy in 2010, and software as a service, which has deep roots in cloud computing, is predicted to grow exponentially in the coming years.
But with the increased use of cloud resources comes the resurgence of an age-old problem: storing sensitive information securely. Secure storage is a challenge when working with traditional data centers, and the move to the cloud only adds to the problem’s complexity.
Even advanced enterprises are vulnerable to data breaches. For example, look at the size and scope of some of the largest data breaches in history—billions of records affected as a result of hacking or poor security. Many Fortune 500 companies have been targeted.
We can’t wait until we move sensitive information to the cloud to worry about how we’re going to store it securely. We must decide before the move what needs to be secured and how we’re going to protect it.
Like the US Government, we need to move from Cloud First to Cloud Smart, especially when it comes to the issue of security.
In this article, we will look at how to protect your cloud-based information, some of the approaches available for doing so, and three scenarios demonstrating the securing of sensitive data stored in the cloud. We conclude with a look at the future of cloud data encryption and what that might mean for you.
Securing Your Cloud Data
To secure the data you’re storing in the cloud, you need to encrypt it. Encrypting data protects it from being read if an unauthorized party gains access to it.
Encryption works by using a cipher (which is just a complex algorithm) to “scramble” your data into what appears to be a series of random characters. The result, which is called ciphertext, is unreadable to those who don’t have the key needed to decrypt it.
There are two commonly used methods for encrypting data:
- Private Key (Symmetric) Encryption: Such methods use the same key for encryption and decryption, and the key is shared between the sender and the receiver (otherwise the receiver won’t be able to decrypt the data).
- Public Key (Asymmetric) Encryption: Such methods do not use the same key for encryption and decryption. The key used to encrypt the data is published and publicly available, but only the receiver has the decryption key that allows them to “unscramble” the data.
Some of the decisions you’ll need to make when you’re encrypting your data include:
- Which type of encryption you want to use (i.e., private vs. public key)
- Which method of encryption you want to use (there are multiple public key encryption methods that we address later in this blog)
- How you want to handle keys: How are they generated? Who holds them? How often should they be rotated or changed?
There are many apps and tools that will help you encrypt your data, so you don’t have to do the heavy lifting when it comes to the actual encryption; however, you’ll still need to know how things work under the hood, so to speak.
Basic Cloud Encryption
Most if not all cloud providers include basic encryption out of the box. For example, Amazon’s Simple Storage Service (S3) lets you set up automatic encryption so that all newly added items are encrypted before being added to your S3 bucket.
Such out-of-the-box offerings are convenient and sufficient for some types of information (e.g., proprietary information), but they should not be used for sensitive information (e.g., personal health information).
Typically, only data at rest is encrypted and protected against physical attacks at the cloud provider level. As a result, there are many ways for the information to become compromised. If you have multiple pieces of your application (such as back-end services or front-end components), then your data in use and data in transit are vulnerable.
Improving Encryption for Cloud Stores
Because the basic encryption features offered by cloud providers aren’t sufficient, we need to look at additional encryption steps to make sure the information we’re storing stays secure.
One way to increase protection on data that’s going to be stored in the cloud is to encrypt the data at the client level (i.e., you encrypt your data before you send it to the cloud). While the premise is simple, there are lots of things you need to consider before choosing the process you use to encrypt your data.
First, encryption requires the use of keys. As such, those encrypting the data must answer some preliminary questions before they can even begin encryption:
- Where does the key come from? How is it generated?
- Who will own the key?
- How often should the key be rotated (the process of changing a key is called rotation)?
Unfortunately, there’s no one answer to these questions that works for every company. The best choices for you depend on the scope of your project, the level of security you need, how your business is set up, and more.
Second, you’ll need to determine where keys are stored. There are three basic options available:
- Hybrid: You retain full control of your keys, but they may be stored/hosted at an off-site location.
- Cloud stored and agency controlled: Your keys are stored in a cloud environment, but you retain control over the keys you generate.
- Cloud stored and cloud controlled: Your keys are stored in a cloud environment, and the cloud provider is responsible for ensuring the security of the keys you generate.
Key Rotation and Re-encryption
Key rotation, or the process of changing the key used for encryption, is an important step in ensuring the long-term security of your data and is mandated by some security standards, such as the Payment Card Industry Data Security Standard (PCI DSS). However, key rotation means that some amount of decryption and re-encryption needs to happen so that your new key works in place of your old key.
Simple Symmetric Encryption
The simplest option is to use a symmetric key to encrypt each piece of data. When it is time to rotate the key, decrypt your data with the existing key and re-encrypt it with a newly generated key.
As time goes on and the quantity of your data grows, however, the process of decrypting and re-encrypting becomes a greater challenge. This process can be quite labor intensive, and with a regular rotation schedule, the cost of computing power can become prohibitive.
Envelope encryption is a way to offset the potentially high costs of decryption and re-encryption whenever you change a key. Used with agency-controlled asymmetric keys, it can also provide a guarantee that the keys used have not been replaced.
The envelope encryption process is similar to Simple Symmetric Encryption in that your data is encrypted with a specific key (typically some type of symmetric algorithm). However, envelope encryption then calls for the encryption of the key itself (typically using asymmetric encryption). Then, when it comes time to rotate your key, you only have to decrypt and re-encrypt the key. The data itself remains untouched.
The downside to envelope encryption is that there’s no guarantee that the data itself hasn’t been tampered with, which is one of the primary reasons why encryption is so important. If someone were to obtain the symmetric key, decrypt the data, change it, and re-encrypt it, there would be no way for you to know.
Envelope Encryption with Hashing
If you want a guarantee that the data you’ve secured with envelope encryption remains authentic, you can add a hash of the unencrypted data to the envelope itself. A hash function maps a large set of data to fixed-size data, creating a “signature” that can be compared after successful decryption. This enables you to check the integrity of the stored data, increasing trust in the decrypted data.
Three Hypothetical Cloud Storage and Encryption Scenarios
The following three scenarios shed light on how to use different encryption techniques to protect the various types of cloud-based data and organizational workflows.
Organization A carries out crucial data collection and distribution activities with a distributed workforce in the field. Employees gather, analyze, and report on data originating across the world. The employees must perform these data transferring tasks with no guarantee that they will have unfettered access to the organization’s IT infrastructure.
In this scenario, we would use envelope encryption to store information securely and to transport information over networks that may not be trusted. The keys used to encrypt the envelope would be issued by a central authority who is part of the distributed workforce. This allows for secure offline work and centrally managed workflows.
Organization B needs a secure file exchange application hosted in the cloud. There are various types of sensitive data that would be exchanged.
It goes without saying that all files need to be protected from unauthorized access. To that end, we would build Organization B a scalable, cloud-hosted application that leverages envelope encryption, followed by two additional layers of encryption.
At this point, the data would be stored at rest, having been encrypted by a cloud service provider (CSP)-controlled key. Note, the CSP controlling this key is not the same as the CSP hosting the data itself.
The keys would be regularly rotated by re-encrypting the symmetric key. The symmetric key would then be stored in a separate, cloud-hosted metadata repository.
Organization C uses an enterprise-wide case management system that stores a large amount of PII in the cloud. The organization needs to secure the data.
In this scenario, we’d leverage a multistep envelope encryption mechanism. First, we’d encrypt the data using a symmetric key. We’d encrypt the key itself using an organization-controlled asymmetric key. The encrypted key would be stored with the files in a cloud-accessible location, which is itself encrypted using a CSP-controlled key.
This key storage mechanism allows the organization to control encryption and decryption using policies that govern access to the CSP-controlled keys instead of relying on locally installed and locally maintained keys on individual application servers. This also allows for simpler key management in a serverless environment, an increasingly common cloud-deployment strategy.
The Future of Encryption
Encryption as it stands today, as well as all of the mathematical theory underlying our algorithms, is on the precipice of becoming outdated. Many of the algorithms we use are based on the premise that the amount of computing power available today isn’t sufficient to crack the code in the short term.
However, with the rise of quantum computing, the powerful algorithms we rely on may become obsolete. One of the upsides of quantum computing is that it can crack the problems we expect to be difficult, if not impossible, to solve today. We can’t say when our existing algorithms will no longer be secure—it could be next year, it could be in five years, or it could be in 10 to 15 years—but what we can say is that we need to be ready for when it does happen.
After all, consider how long data will stay in the cloud—depending on what the application is, sensitive data could be stored for decades. We need to ensure the security of data 100% of the time it is located in the cloud.
Encryption is important, especially as the reliance on cloud computing grows exponentially. Pyramid strives to stay on the leading edge of the changes that will become increasingly important as time goes on and technology improves.
Copyright © 2019 Pyramid Systems, Inc.