A day doesn’t go by when we don’t hear about sensitive information being exposed or stolen. The culprits could be the government, professional hackers, careless employees with data on mobile devices, or internal employees with unauthorized access to data or unintentional release of data. It seems the wave of data breaches has gained momentum as data has moved from internal servers to the cloud; and access has gone mobile. Though the fact remains that there will be gaps in security, the goal of companies and IT departments should be to make those gaps as small and as difficult to take advantage of as possible.
Encryption has always been viewed as one of the strongest security measures, and its price-performance has become very attractive with the advent of cloud computing. This is because encryption is by far the best way to replace physical walls in the cloud.
Here are our top 5 cloud encryption tips (and we know a thing or two about encryption) to help protect your data:
1. Consider Encryption at rest, in use and in transit.
Data can be exposed when it is at rest in the cloud, on a virtual disk, in a cloud database, or in object storage. Eavesdropping may occur when data is being transmitted, perhaps from a user’s browser to your servers in the cloud, or between your cloud servers. Really nasty hackers may even try to gain access to your “root account” in a cloud server and look at the memory of your server while the data is being used and computation is going on. You should be aware of all these possibilities and choose solutions that address all of these risks.
2. Review your cloud encryption options and pick the strongest
Implementing encryption properly is tricky, and your best bet is to use a solution from the experts. Take a look at the encryption solutions available for your choice of cloud. Encryption is available for both private and public clouds – check the Amazon Marketplace, the VMware VSX, or whatever is appropriate for the cloud you are using. Whichever path you take, make sure the strongest encryption standards are used and regularly reviewed.
3. Define security responsibility
Many compliance regulations (like PCI and HIPAA) require data encryption at multiple touch points. That means it’s no longer the other guy’s (customer, provider, vendor, or all) problem, but yours. A full 39% of responses from the Ponemon Institute study hoped that if their cloud data was compromised the cloud provider would alert them – but actually it may be their own responsibility. More chillingly – yet realistically: 42% said they wouldn’t know if their cloud server was hacked.
Taking responsibility for your data involves many precautions. Encryption in the cloud is one of the most important precautions, especially if you make sure to keep ownership of the encryption keys to yourself. As long as you own your encryption keys, you retain control of your data, even if bad things may happen.
4. Encrypt Encrypt 000000000 45 6E 63 72 79 70 74
Let’s just say that you’ve hardened the server from external hackers and they can’t access your data. That’s great! But, wait, what about internal employees?
What’s that you say? They are all trustworthy? Really? I bet that’s what Snowden’s boss thought too.
Trusting your employees is fine but it is best to be prepared for the worst, just in case. Choose STRONG encryption for your data to protect it from internal and external attacks, breaches, and theft. Only grant access to those who need it. Train them on how to deal with encrypted data, how to access it, where they can access it from, and have them follow the security procedures. Don’t forget to encrypt backups and snapshots. Encryption is especially great for maintaining control of multiple copies and backups – deleting the key for that particular data has the same effect as deleting all the copies, no matter where they have strayed.
5. Protect your keys
To give one key to the security vendor or cloud provider is to provide attackers one target to compromise. Strengthen your key security by using the strongest encryption key technology available, homomorphic key management. The technology provides two keys with an encrypted master given to the application/data owner, which stays encrypted while in-use. Even if the encrypted master is stolen the data still won’t be accessible.
Protecting your and your customer’s data is a part of doing business. Doing it wrong can hurt business and the bottom line. Put real procedures in place to protect the data and in-turn, the business. Preparing for the worst never seems necessary until it is necessary. After all, you don’t want to find out about a data breach to your data on the nightly news. Prepare and protect.
To find out more about cloud encryption tips and a white paper on key management click here.
Gilad Parann-Nissany is the founder and CEO of Porticor Cloud Security. He is a pioneer in the field of cloud computing who has built SaaS clouds, contributed to SAP products and created a cloud operating system. He has written extensively on the importance of cloud encryption and encryption key management for PCI and HIPAA compliance. Gilad can be found on his blog, Twitter, LinkedIn, and Google+ discussing cloud security.