encrypt

Encrypting Your Cloud Data For Extra Protection

Encrypting Your Cloud Data

Encrypting data is one of the best ways of protecting your data as it moves to the cloud. The only thing better than encrypting your data, is not storing your data at all.

Let’s first look at the case of using file sharing applications such as Dropbox. If you are the only user of the files you store there, you can encrypt these files, or entire folders, with tools such as 7-zip or TrueCrypt before you move them to the cloud service.

However, it is likely that you want to share the files with somebody else. That means that these people should have the same encryption software and have access to the keys. So you have to figure out how to share the keys safely and protect them as you store them.

The hard thing about using encryption therefore is not so much the technology (although ‘under the hood’ encryption is really complicated), the hard thing is to understand what it protects against, and what the new risks are that encryption brings. Then you can start designing at which location where you encrypt, where you store your encrypted data, and how you are going to store and manage the encryption keys.

Peeking Inside

In the file sharing example, you encrypt to protect your data as it is ‘at rest’ at the cloud provider. You may trust the cloud provider, but you may want to prevent a search warrant forcing the provider to surrender your data. The encrypted data is stored at your own laptop or computer and at the file sharing service provider. The keys could be memorized or written down. Losing those keys is a new risk, by the way.

For a different example, let’s have a look at an enterprise customer relationship management system such as Salesforce. The data at rest includes a lot of customer data, which might bring in privacy concerns.

 

Encryption Solutions

So in order to protect that, you might want to prevent that data going to the cloud unencrypted. There are a number of solutions in the market for that. One solution involves a separate cloud provider who filters all your CRM traffic and replaces customer data with encrypted customer data. When you then access that data, it will be decrypted by the same encryption provider. You still need to put some trust in the encryption provider, but they will no longer store your unencrypted data, so the risk of any loss of data at rest there is pretty small.

Now if you are a software developer, you might be using Infrastructure as a Service. That means your software runs on a virtual machine at a cloud provider. What kind of risks do you have there that encryption might be able to reduce?

To start with, your virtual machine has a virtual disk on which your data is stored. Of course, there is the risk that the staff of your cloud provider could access that. More realistically, that disk could be cloned by an insider and taken away for further inspection.

Risk Assessment

That risk can be addressed by encrypting the hard disk in the operating system, very much in the same way as you can encrypt the hard disk of your laptop. In most operating systems this is fairly easy. The biggest remaining issue is how to get the encryption key to the virtual machine as it boots up. That can be done, but it’s a little outside the scope of this article.

So far we have looked at data at rest. We should also look at data in motion. That’s a bit easier. An example of protecting data in motion is through using HTTPS for web traffic. Other cases of data in motion are file transfers such as with FTP and terminal traffic using Telnet. These are really old protocols that don’t encrypt anything, not even passwords. It is best to get rid of these as soon as possible and start using SFTP and SSH. You guessed it, the letter “S” in these protocol names stands for “Secure”.

Finally, we need to put things into perspective a bit.

Did you know that most data breaches last year were the result of hackers breaking in to user computers and point-of-sales devices (as in the case of Target Supermarkets), and not by hackers breaking into cloud providers?

All encryption in the cloud leaves the users’ computers unprotected. Did you know that 1 in 20 laptops go missing in their lifetime? And still most people don’t encrypt their hard disks!

So please look at the lock on your backdoor before you start putting an extra lock on your front door.

By Peter HJ van Eijk

Peter HJ van Eijk Contributor
Peter HJ van Eijk develops and delivers cloud computing training programs. He has delivered these programs dozens of times in the US, Europe, Middle-East and Asia to a wide variety of participants. He has worked for Deloitte Consulting, IT supplier EDS, internet providers, and at the University of Twente, where he received his PhD in 1988. He is a board member of the Dutch Cloud Security Alliance Chapter. Peter is a certified trainer for CSA Certificate of Cloud Security Knowledge (CCSK), CompTIA Cloud Essentials, Virtualization Essentials and Cloud Technology Associate. He wrote these courses or contributed to them.
Allan Leinwand

Two 2017 Trends From A Galaxy Far, Far Away

Reaching For The Stars People who know me know that I’m a huge Star Wars fan. I recently had the opportunity to see Rogue One: ...
Sean Peterson

Cloud’s Mighty Role – Why Custom Development is the Next Big Thing (Again)

Custom Development is the Next Big Thing Today, software is playing a very important role in performing basic business processes and serving customers. Leading software ...
How Can We Use Artificial Intelligence When We Can't Handle Real Intelligence?

How Can We Use Artificial Intelligence When We Can’t Handle Real Intelligence?

Artificial Versus Real Intelligence In this article we will be discussing the pitfalls of societal disillusionment with facts, and how this trend may become troubling ...
Chris Gervais

Why Containers Can’t Solve All Your Problems In The Cloud

Containers and the cloud Docker and other container services are appealing for a good reason - they are lightweight and flexible. For many organizations, they ...
Daren Glenister

What’s Next In Cloud And Data Security?

Cloud and Data Security It has been a tumultuous year in data privacy to say the least – we’ve had a huge increase in data ...
BBC Tech

Play store apps to be scanned for malware

Google is beefing up the way it checks if any of the apps uploaded to its Play store are malicious. All new apps will be scanned by malware-spotting tools from three ...
Facebook

Facebook admits to another data leak, saying that up to 100 developers accessed people’s data from Groups

More than a year after Facebook clamped down on how much personal data third parties could see, the company has found some app developers still had access to people's data ...
Samsung

Experts Discuss Taking AI to the Next Level at Samsung AI Forum 2019

Samsung AI Forum 2019 Samsung Electronics is committed to leading advancements in the field of artificial intelligence (AI), with the hopes of ushering in a brighter future. To discuss what the ...