As business regulations and information security expand at an asymmetrical pace, corporate executives often end up facing privacy and security challenges they do not have the knowledge or experience to address.
While encryption is the baseline technology that privacy experts agree is the cornerstone of security, encryption in the cloud can be daunting. With so many different types of encryption available, small to mid-size businesses are finding this approach inviting yet very confusing.
Encryption is hardly a new technology, but historically encrypted data was stored on servers which resided on premises over which the company had direct control. With many of today's popular business applications hosted in the cloud, business executives either need to depend on contract language to protect their assets, selecting a cloud provider that will allow the customer to encrypt the data before it is sent to the cloud for storage or processing, or partner with a software as a service (SaaS) provider that will manage the encryption and decryption of the corporate data.
Sometimes the companies have no choice; some customer relationship management (CRM) applications, such as Saleforce.com, and enterprise file sync and share (EFSS) applications, such as Citrix ShareFile, use secure web connections, such as transport layer security (TLS) encryption, to transfer data from the user's keyboard or servers to the web application. Some cloud storage applications, such as Barracuda's Copy.com, also allow the user to create a secure link between their corporate network or mobile systems and the cloud storage application. Once the data reaches the cloud providers' servers, the application provider generally encrypts it to secure the data at rest. [Read related story: The Best Cloud Storage and Online Backup Services for 2018]
Editor's note: Looking for a cloud storage and backup solution? Fill out the below questionnaire to be connected with vendors that can help.
Effective Data Protection in the Cloud
However, we run into one of the challenges of asymmetrical growth in the cloud environment. In the past, one of the most important tasks the IT manager had was managing encryption keys. Separating the encryption key from the encrypted data is essential in keeping data secure, says Cortney Thompson, chief technology officer of Green House Data, a cloud hosting and data center service provider.
"One area we caution our healthcare clients to watch out for is the storage and use of encryption keys," he says. "They often store the keys in the same location as the data itself."
Applications might store keys in memory while they're in use, too. Encryption keys should be kept on a separate server or storage block. A backup of all your keys should also be kept in an offsite location in case of disaster. This backup should be audited every couple of months. "Encryption keys also need to be refreshed regularly," Thompson adds. "This is often forced on companies as the key itself is set to expire automatically, but other keys need a refresh schedule. Consider encrypting the keys themselves (though this leads to a vicious circle of encryption on top of encryption). Finally, give master and recovery keys multi-factor authentication."
Not all corporate data rises to the level of requiring encryption and not all users have the same need to access data, notes Vic Winkler, cybersecurity and information security consultant. It is important for companies, even SMBs, to create rules to identify what information rises to the need of encryption and what data can be stored safely in plain text.
Winkler notes that segregating data using software-as-a-service applications that automatically encrypt the data within the applications can go a long way to ensuring that important data is protected. It is also important that the data is protected in such a way that it does not impact the company's business processes negatively.
In order to protect data effectively, Winkler says, the corporate officer in charge of security, be that a CISO in a large enterprise or a designated manager in an SMB, needs to protect the data in all three of its states: data in transit, data in use and data at rest. Today companies do a fairly effective job with data in transit using TLS, he says, but data at rest and in use still can be improved.
In fact, Winkler says, protecting data at rest is essential. The best choice is to encrypt sensitive data when it is created so that when it is stored in a data center, be it locally or in the cloud, it will be protected. Application security, he says, is similar to a layer cake. As data is added to the file in an application, security should be an integral part of the whole so that security moves with the data.
Cloud Encryption: Challenges and Recommendations
With the expansion of mobile applications, customers should consider having their service provider or a third-party proxy provider manage the encryption keys rather than the company's own IT department, suggests Manny Landrón, senior manager of security and compliance at Citrix. The problem companies run into, he says, is that if data is encrypted before being uploaded to a cloud storage provider and that data is then needed on a mobile or remote device that does not already have the decryption key, the resulting download will be useless, encrypted data. This becomes exacerbated when a company tries to share data with a business partner, but does not want the partner to have direct access to decryption keys.
Key rotation and destruction also becomes more complex when a company is managing its own keys for what can entail millions of files, he notes. A third-party proxy provider can add a layer of protection by keeping the keys separate from the encrypted data at a cloud provider, but this also adds another layer of complexity, as well as the additional cost of a second third-party provider for the company.
Landrón cautions companies to ask their providers and potential SaaS partners what protocols they use for transmitting data. The Secure Socket Layer (SSL) approach, which had been the standard for years, has fallen out of favor since the discovery in 2014 of the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, a man-in-the-middle exploit that effectively was designed into the SSL code.
Implementing TLS rather than SSL eliminates the vulnerability, but some legacy systems running older operating systems, such as Windows XP, are unable to implement TLS. As a result, some retailers still have some servers running SSL to support these older systems, even though there is the possibility of confidential data being compromised. The only way to eliminate the risk entirely is to disable SSL entirely either on the client system or the server which gets rid of the problem but also makes the servers inaccessible to systems that only have SSL capabilities.
Beyond key management, the largest issue SMBs must grapple with is believing that a cloud provider is better at protecting sensitive data than they are and is as vested in protecting the company's data as is the data's owner, says Jeff Cherrington, VP of product management at Prime Factors, a cloud security vendor.
Cloud providers are not subject to the same data breach disclosure laws as are banks, federal agencies, and other entities, he points out, and breaches that do occur might not be widely publicized or associated with cloud providers. However, the organization that owns the data is responsible, even when the cause of the data breach lies with the cloud hosting organization. If such a data breach is publicized, the negative attention will be focused more on the data owner than on the cloud computing provider. It is, ultimately, the obligation of the enterprise to protect its data, wherever and however it is processed. This is why the Cloud Security Alliance, in its Security Guidance for Critical Areas of Focus in Cloud Computing, recommends that sensitive data should be:
- Encrypted for data privacy with approved algorithms and long, random keys;
- Encrypted before it passes from the enterprise to the cloud provider;
- Should remain encrypted in transit, at rest, and in use;
- The cloud provider and its staff should never have access to decryption keys.
"This last stipulation can be the most challenging for SMBs, depending on their use of cloud," Cherrington adds. "For simple file sharing, there are some good add-ons for Dropbox and similar offerings, such as Viivo or SafeMonk. When an SMB moves processing to the cloud, things become a bit more complex." Like Landrón, Cherrington recommends that when processing of sensitive data takes place in the cloud, users take advantage of the cloud's economy of scale and elasticity. The data should remain encrypted up to the moment of use and that both the decryption keys and the decrypted versions of the data should be available in the clear only within a protected transient memory space, he says.
"Both the keys and the clear text versions of the sensitive data must be auditably wiped so that no copies are ever written to disk," he says. Also, he suggests that the processing must never write copies of the clear text sensitive data to any logs or other persistent records.
Matt Nelson, president and CEO of AvaLAN Wireless, warns that the United States' next Pearl Harbor will be a cyber attack. Imagine, he says, if websites such as Google or Microsoft are brought down entirely due to an attack. Both of those companies hold massive amounts of consumer data on their cloud servers so encryption should be considered a standard business practice, he adds.
Due to the plethora of recent cyber attacks on large data centers and commercial sites, be they retail, healthcare, government or commercial and industrial, data security has been in the news far more than in recent years. "I hope people don't get desensitized to the big attacks," he says.