encrypt

Encrypting Your Cloud Data For Extra Protection

Encrypting Your Cloud Data

Encrypting data is one of the best ways of protecting your data as it moves to the cloud. The only thing better than encrypting your data, is not storing your data at all.

Let’s first look at the case of using file sharing applications such as Dropbox. If you are the only user of the files you store there, you can encrypt these files, or entire folders, with tools such as 7-zip or TrueCrypt before you move them to the cloud service.

However, it is likely that you want to share the files with somebody else. That means that these people should have the same encryption software and have access to the keys. So you have to figure out how to share the keys safely and protect them as you store them.

The hard thing about using encryption therefore is not so much the technology (although ‘under the hood’ encryption is really complicated), the hard thing is to understand what it protects against, and what the new risks are that encryption brings. Then you can start designing at which location where you encrypt, where you store your encrypted data, and how you are going to store and manage the encryption keys.

Peeking Inside

In the file sharing example, you encrypt to protect your data as it is ‘at rest’ at the cloud provider. You may trust the cloud provider, but you may want to prevent a search warrant forcing the provider to surrender your data. The encrypted data is stored at your own laptop or computer and at the file sharing service provider. The keys could be memorized or written down. Losing those keys is a new risk, by the way.

For a different example, let’s have a look at an enterprise customer relationship management system such as Salesforce. The data at rest includes a lot of customer data, which might bring in privacy concerns.

Data Breach Comic

Encryption Solutions

So in order to protect that, you might want to prevent that data going to the cloud unencrypted. There are a number of solutions in the market for that. One solution involves a separate cloud provider who filters all your CRM traffic and replaces customer data with encrypted customer data. When you then access that data, it will be decrypted by the same encryption provider. You still need to put some trust in the encryption provider, but they will no longer store your unencrypted data, so the risk of any loss of data at rest there is pretty small.

Now if you are a software developer, you might be using Infrastructure as a Service. That means your software runs on a virtual machine at a cloud provider. What kind of risks do you have there that encryption might be able to reduce?

To start with, your virtual machine has a virtual disk on which your data is stored. Of course, there is the risk that the staff of your cloud provider could access that. More realistically, that disk could be cloned by an insider and taken away for further inspection.

Risk Assessment

That risk can be addressed by encrypting the hard disk in the operating system, very much in the same way as you can encrypt the hard disk of your laptop. In most operating systems this is fairly easy. The biggest remaining issue is how to get the encryption key to the virtual machine as it boots up. That can be done, but it’s a little outside the scope of this article.

So far we have looked at data at rest. We should also look at data in motion. That’s a bit easier. An example of protecting data in motion is through using HTTPS for web traffic. Other cases of data in motion are file transfers such as with FTP and terminal traffic using Telnet. These are really old protocols that don’t encrypt anything, not even passwords. It is best to get rid of these as soon as possible and start using SFTP and SSH. You guessed it, the letter “S” in these protocol names stands for “Secure”.

Finally, we need to put things into perspective a bit.

Did you know that most data breaches last year were the result of hackers breaking in to user computers and point-of-sales devices (as in the case of Target Supermarkets), and not by hackers breaking into cloud providers?

All encryption in the cloud leaves the users’ computers unprotected. Did you know that 1 in 20 laptops go missing in their lifetime? And still most people don’t encrypt their hard disks!

So please look at the lock on your backdoor before you start putting an extra lock on your front door.

By Peter HJ van Eijk

Peter HJ van Eijk

Peter HJ van Eijk develops and delivers cloud computing training programs. He has delivered these programs dozens of times in the US, Europe, Middle-East and Asia to a wide variety of participants.

He has worked for Deloitte Consulting, IT supplier EDS, internet providers, and at the University of Twente, where he received his PhD in 1988. He is a board member of the Dutch Cloud Security Alliance Chapter.

Peter is a certified trainer for CSA Certificate of Cloud Security Knowledge (CCSK), CompTIA Cloud Essentials, Virtualization Essentials and Cloud Technology Associate. He wrote these courses or contributed to them.

What Is Net Neutrality And Why Is It So Important?

What Is Net Neutrality And Why Is It So Important?

What Is Net Neutrality? Net neutrality is a concept that has been the centre of a lot of debates recently, ...
5 Simple Tips to Help Avoid Ransomware

5 Simple Tips to Help Avoid Ransomware

5 Tips to Avoid Ransomware Ransomware is a particularly pernicious form of malware: unsatiated by simply using your system as ...
Cyber Attackers Targeting the Keys to the Cloud Kingdom

Cyber Attackers Targeting the Keys to the Cloud Kingdom

Cyber Attacking Targets Privileged Credentials Used to Administer Cloud Services Make an Attractive Target and Entry Point for Attackers In ...
How to secure personally identifiable information (PII) of customers

How to secure personally identifiable information (PII) of customers

Secure Personally Identifiable Information Information security has been a constant challenge for enterprises. Especially in a software test environment, enterprises face ...
Biometric Authentication

Passwords: More Secure Than Biometric Authentication?

Biometric Authentication Biometrics has long granted or denied access to secure things like premises and vehicles. Now it is being ...
Numeraire Cryptocurrency

Digital Cashless Society: Dystopian Nightmares or Utopian Dreams

Digital Cashless Society A truly digital cashless society was long the realm of dystopian nightmares (or utopian dreams depending on ...
F-Secure Takes A Big Step Towards Cyber Security Leadership By Acquiring MWR InfoSecurity

F-Secure Takes A Big Step Towards Cyber Security Leadership By Acquiring MWR InfoSecurity

Acquisition adds industry leading threat hunting platform to F-Secure’s detection and response offering and expands cyber security services to the biggest markets globally F-Secure Corporation, Stock Exchange Release 18 June, 2018 at 09:00 EEST F-Secure ...
Tainted, crypto-mining containers pulled from Docker Hub

Tainted, crypto-mining containers pulled from Docker Hub

Security companies Fortinet and Kromtech found seventeen tainted Docker containers that were essentially downloadable images containing programs that had been designed to mine cryptocurrencies. Further investigation found that they had been downloaded 5 million times, suggesting that hackers were ...
Teradata sues Germany's SAP, alleging it stole trade secrets

Teradata sues Germany’s SAP, alleging it stole trade secrets

FRANKFURT (Reuters) - SAP SE, Europe’s most valuable technology company, was sued on Wednesday by U.S. company Teradata, which accused it of stealing trade secrets, copyright infringement and anti-trust violations. The case, filed at the ...