Ninety-seven percent of all organizations use some form of cloud technology.1 Most organizations find that integration of security tools and technologies ensures the most effective cloud security strategy. Cloud service providers (CSPs) and third-party cloud security software vendors offer an array of tools for securing cloud data, applications, and network connectivity. However, cloud customers are always responsible for protecting their data and who can access it. One of the most important security safeguards for protecting cloud data is encryption.
While all data should be protected, not all data needs the extra safeguards that encryption provides. Sensitive cloud data is absolutely essential to protect, as it may contain intellectual property or financial information and may be subject to various regulations and mandated compliance. For this category of cloud data, the highest level of security is needed, especially in the face of potential theft, ransom, or data destruction.
When protecting critical data (as opposed to applications), two security measures stand out: protecting access to that data, and protection of the data itself. Access controls can be as simple as password authentication and should be used only in non-critical applications. Multi-factor authentication and user entity behavior analytics (UEBA) offer significantly improved protection but are only protecting against unwanted access. Therefore, encryption of sensitive data is a critical defense against data theft. Encrypted data—even if stolen—is useless to third parties without the encryption keys to decipher it.
Formulating a data encryption policy
Depending on the industry, organizations may need to formulate and publish their data encryption policy. The policy should detail specifically what data is subject to encryption and how it protects the organization and its adherence to regulations. Another important component of the policy is key management—who holds the keys for deciphering data, and how are the keys protected against theft or loss.
Organizations should follow four simple steps in determining how and when to use encryption in the cloud:
- What data needs encryption?
- When does data need encryption?
- Where should cloud encryption be deployed?
- Who should hold the encryption keys?
What data needs encryption?
Not all data needs encryption. Non-sensitive data that is already backed up, or data for non-critical operations may not be candidates for encryption. In addition, cost of encryption should be considered. Running encryption in the cloud uses cloud computing resources while data is encrypted and decrypted on virtual servers, and each instance of this compute power adds to customer costs. Therefore, organizations should carefully determine what data really needs encryption by considering the following questions:
- Does the data fall under regulatory compliance requirements, such as health records (HIPAA), financial data (PCI, SOX), privacy acts (GDPR), or other legal or contractual obligations?
- Is the data personally identifiable information?
- Does the data contain sensitive intellectual property?
- Is the data essential to the operation of the organization?
Other factors may vary by organization. Typically, about 20% of data in the cloud can be categorized as sensitive to most organizations.2
When does data need encryption?
Most data is not static. Records are updated, new data is added, and files and datasets are often transmitted to and from remote locations or between users and the cloud. Encrypting data at rest—data saved on disk or other media—is essential. However, data that moves between clouds or workloads and offsite—data in motion or in transit—is also vulnerable. Therefore, encryption of the most sensitive data when in motion (transmission security) should also be considered. If large amounts of sensitive data are transmitted, it is definitely a candidate for data-in-motion encryption.
Where should encryption be deployed?
Cloud encryption can be deployed:
- On the storage media and/or through the operating system (OS). Most major operating systems and large storage vendors offer data-at-rest encryption. Amazon Web Services, Microsoft Azure, and Google Cloud all provide data-at-rest encryption.
- In the cloud application. Many software-as-a-service (SaaS) application vendors provide de facto or optional encryption of data. However, organizations are then “locked in” to the vendor's encryption technology.
- In transit over the network. Although virtual private network (VPN) and Internet Protocol Security (IPSec) connectivity provide excellent data-in-motion protection at low or no cost, they may affect network performance. These technologies require certificate management, thereby adding another layer of complexity.
- Cloud security service software. As a part of their increasingly comprehensive protection services, third-party security software companies offer encryption technologies. For example, McAfee MVISION Cloud can apply encryption to cloud services and work with device-level encryption to apply the same policies.
Who should hold the encryption keys?
Some CSPs offer a choice—they manage the encryption keys for their cloud customers, or they allow the customer to manage them. Key management is critical—loss of keys or unsecure key management can put critical data at risk. Therefore, organizations should weigh the extra cost of CSP-managed keys versus the risk of not having direct management of these essential security controls. Full regulatory compliance may tip the scales in favor of the organization holding and managing its keys.
Regardless of who holds the keys, organizations should make certain that key access is through multi-factor identification and that key storage is itself secure and backed up in case of hardware failure. Moreover, it is recommended that organizations securely keep keys on storage separate from their data.
Cloud encryption resources
1 McAfee, 2018. “Navigating a Cloudy Sky.” https://www.mcafee.com/enterprise/en-us/solutions/lp/cloud-security-report-stats.html.
2 McAfee, 2018. “McAfee Cloud Adoption and Risk Report.” https://www.mcafee.com/enterprise/en-us/solutions/lp/cloud-adoption-risk.html.