Cloud encryption solutions encode data as it travels to and from cloud-based applications and storage to authorized users of that data at their locations. In addition, cloud encryption services may encode data as it is stored on cloud-based storage devices. Each solution deploys strong key-based encryption encoding/decoding that prevents outside users from intercepting data streams as they travel to and from the cloud, or from accessing data files when they are saved to cloud storage.
Cloud encryption software benefits
Cloud service providers (CSPs) offer basic cloud security. HTTPS is the standard for secure client-to-cloud communications. However, users may need extra protection to realize the following benefits that cloud encryption delivers:
- Secure, end-to-end protection of data to and from the cloud
- Prevention of data theft, exfiltration, or corruption
- Prevention of other cloud "tenants" from accessing your data
- Satisfaction of customer or regulatory requirements for data security
- Additional protection against outside threats
Most reputable CSPs offer basic cloud protection options. However, they caution users to implement additional measures to ensure data security. Strong encryption heads the list of precautionary measures that can help ensure secure operations.
How cloud encryption solutions work
There are two forms of encryption used in the cloud—data-in-transit and data-at-rest. Fortunately, most data-in-transit is handled natively in web browsers and FTP client software connecting to secure web sites.
Data-in-transit. The most prevalent form of cloud data-in-transit encryption is the widely used HTTPS protocol. Based on the internet standard IP protocol HTTP, HTTPS adds a security "wrapper" around the internet communication channel. This layer is called SSL (secure sockets layer). The SSL wrapper encodes all traffic within the channel so that only authorized users in that communication session can access the contents. In addition, SSL uses a checksum to help ensure that no data is altered in the transmission. Also, SSL performs two important security functions beyond encryption. First, it verifies that the cloud user is talking to only the cloud destination it requested. Second, it ensures that only the authorized, intended server can read the data that the user sends or receives. Hence, SSL establishes an important authorized, secure transmission channel.
In addition, if a third party intercepts the data stream between the user and the cloud, the unauthorized third party would see only encoded, seemingly meaningless data. Decoding (and encoding) the data within the SSL channel occurs at the user and the destination level using digital keys to lock and unlock the encrypted data. Keys are generated and issued using sophisticated asymmetrical algorithms only exchanged between trusted parties—whose trust certificates are verified during the initial connection.
Data-at-rest. Data encrypted when it resides on a disk or other storage device ensures that even if an unauthorized user copies or opens the encrypted material, it appears as a useless jumble. Again, encoding and decoding the encrypted data is handled via key exchanges between the user and the device, and keys are only granted to users with the proper authorization and trust certificates. Software handles all encryption and decryption in the background. The user does not need to take action other than accessing the data with proper authorization and authentication.
Why use encryption before uploading data to the cloud?
While using HTTPS provides a high level of protection to and from the cloud, it may not satisfy more stringent data security requirements. In such cases, users may wish to encrypt data even before connecting to the cloud. Several companies can provide strong disk encryption at the user, network, and cloud level. McAfee Endpoint Encryption software provides disk encryption across desktops and laptops with central management and transparent use, while McAfee Complete Data Protection delivers both data-in-transit and storage encryption protection.
Users can better determine their cloud encryption solution needs when they examine their operations and data applications.
- Does the data fall under regulatory compliance requirements, such as health records (HIPAA), financial data (PCI, SOX), privacy acts (GDPR), or other legal or contractual obligations?
- Does the data contain sensitive intellectual property?
- Is the data essential to the operation of the organization?
Any of these scenarios could require both data-in-transit and data-at-rest (disk) encryption.
Where should cloud encryption software be deployed?
Cloud encryption software can be deployed at several physical points in a cloud-based architecture, whether it is a private, hybrid, or public cloud.
On the storage media and/or through the operating system. Most major operating systems and large storage vendors offer data-at-rest cloud encryption software. Amazon Web Services, Microsoft Azure, Google Cloud, and others provide data-at-rest cloud encryption.
In the cloud application. Many software-as-a-service application vendors provide de facto or optional data encryption. However, organizations are then "locked in" to the vendor's cloud encryption solutions.
In transit over the network. Virtual private network (VPN) and IP security (IPSec) connectivity provides excellent data-in-motion protection at low or no cost, although it may affect network performance. These technologies require certificate management, thereby adding another layer of complexity. Micro segmentation, such as McAfee Virtual Network Security Platform, isolates network traffic against unauthorized access of network data, although it is not strictly data encryption.
Cloud encryption services
As a part of their increasingly comprehensive protection services, third-party security software companies offer cloud encryption services. For example, McAfee Complete Data Protection provides media encryption, protects endpoints and the native operating system, and enables management of cloud encryption policies. Cloud encryption services and security can also be based solely in the cloud itself (like using McAfee MVISION Cloud).
Who should hold cloud encryption keys?
Some CSPs offer a choice—they manage the encryption keys for their cloud customers, or they allow the customer to manage them. Key management is critical—loss of keys or unsecure key management can put critical data at risk. Therefore, organizations should weigh the extra cost of CSP-managed keys versus the risk of not having direct management of these essential security controls.
Full regulatory compliance may tip the scales in favor of internally holding and managing keys. Regardless of who holds the keys, make certain that key access is through multi-factor identification and that key storage is itself secure and backed up in case of hardware failure. It’s important to securely maintain keys on storage that is separate from the corresponding data too.
Cloud encryption resources