Formulating a cloud encryption policy
Depending on the industry, organizations may need to formulate and publish their data encryption policy. The policy should detail specifically what data is subject to encryption and how it protects the organization and its adherence to regulations. Another important component of the policy is key management—who holds the keys for deciphering data, and how are the keys protected against theft or loss.
Organizations should follow four simple steps in determining how and when to use encryption in the cloud:
- What data needs encryption?
- When does data need encryption?
- Where should cloud encryption be deployed?
- Who should hold the encryption keys?
What data needs encryption?
Not all data needs encryption. Non-sensitive data that is already backed up, or data for non-critical operations may not be candidates for encryption. In addition, cost of encryption should be considered. Running encryption in the cloud uses cloud computing resources while data is encrypted and decrypted on virtual servers, and each instance of this compute power adds to customer costs. Therefore, organizations should carefully determine what data really needs encryption by considering the following questions:
- Does the data fall under regulatory compliance requirements, such as health records (HIPAA), financial data (PCI, SOX), privacy acts (GDPR), or other legal or contractual obligations?
- Is the data personally identifiable information?
- Does the data contain sensitive intellectual property?
- Is the data essential to the operation of the organization?
Other factors may vary by organization. Typically, about 20% of data in the cloud can be categorized as sensitive to most organizations.2
When does data need encryption?
Most data is not static. Records are updated, new data is added, and files and datasets are often transmitted to and from remote locations or between users and the cloud. Encrypting data at rest—data saved on disk or other media—is essential. However, data that moves between clouds or workloads and off-site—data in motion or in transit—is also vulnerable. Therefore, encryption of the most sensitive data when in motion (transmission security) should also be considered. If large amounts of sensitive data are transmitted, it is definitely a candidate for data-in-motion encryption.
Where should encryption be deployed?
Cloud encryption can be deployed:
- On the storage media and/or through the operating system (OS). Most major operating systems and large storage vendors offer data-at-rest encryption. Amazon Web Services, Microsoft Azure, and Google Cloud all provide data-at-rest encryption.
- In the cloud application. Many software-as-a-service (SaaS) application vendors provide de facto or optional encryption of data. However, organizations are then “locked in” to the vendor's encryption technology.
- In transit over the network. Although virtual private network (VPN) and Internet Protocol Security (IPSec) connectivity provide excellent data-in-motion protection at low or no cost, they may affect network performance. These technologies require certificate management, thereby adding another layer of complexity.
- Cloud security service software. As a part of their increasingly comprehensive protection services, third-party security software companies offer encryption technologies. For example, McAfee MVISION Cloud can apply encryption to cloud services and work with device-level encryption to apply the same policies.
Who should hold the encryption keys?
Some CSPs offer a choice—they manage the encryption keys for their cloud customers, or they allow the customer to manage them. Key management is critical—loss of keys or unsecure key management can put critical data at risk. Therefore, organizations should weigh the extra cost of CSP-managed keys versus the risk of not having direct management of these essential security controls. Full regulatory compliance may tip the scales in favor of the organization holding and managing its keys.
Regardless of who holds the keys, organizations should make certain that key access is through multi-factor identification and that key storage is itself secure and backed up in case of hardware failure. Moreover, it is recommended that organizations securely keep keys on storage separate from their data.