The “Cloud” is a term that gets thrown around a lot. It’s an elusive concept of a collaborative environment, file library, and software service. With its multifaceted nature, the virtual data storage continues to expand and garner more usage, as people and companies value its convenience. However, with anywhere-anytime access comes security concerns. Wondering how cloud encryption can protect your sensitive data from security breaches? Find out now with our comprehensive guide.
Understanding the Cloud
In the past, the way to access programs and data occurred through each individual’s computer. With cloud computing, data and programs are stored and accessed through the Internet. Without the Internet, the “cloud” wouldn’t exist. The term “cloud” originated from the graphic that often depicts the server infrastructure in technical diagrams. In short, cloud computing does not have a dedicated network-attached server (like a hard drive); rather, information syncs over the Internet.
Consumer vs Business Cloud
For consumers, cloud computing refers to remote document access and an improved collaboration environment. For businesses, cloud computing takes on a whole new meaning. While the business cloud still benefits from the consumer cloud aspects, it also includes Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS). Businesses either sell these services or subscribe for access. The cloud allows businesses to adapt more quickly to changes by identifying a need and then finding or creating an online platform/program to fulfill that need. From storage to online applications, the cloud benefits not only households but also business operations.
Cloud Deployment Categories
When classifying cloud computing by location, there are four categories: public, private, hybrid, and community clouds. The private cloud refers to a cloud hosted by an individual. Although it requires more work and experience, a private cloud allows for greater control over security. A community cloud involves multiple organizations with similar goals. For example, a platform for pet adoption nonprofits can share information, expedite the pet adoption process, and maintain the integrity of their goal by using a community cloud. A hybrid cloud combines the best aspects of private and community clouds by using a private cloud for hosting critical applications and a community cloud for applications that require less stringent security. Lastly, a public cloud refers to a company that maintains cloud infrastructure and provides cloud services to the general public.
How Vulnerable is the Cloud?
In an attempt to embrace innovation and improve operations, companies are increasingly migrating their data and services to the cloud. Unfortunately, if that migration occurs to quickly, companies will face technical, financial, and legal troubles. In many ways, the threats cloud computing faces mirror that of traditional data repositories and systems. Software vulnerabilities are still a problem. The difference lies in who is responsible for securing the cloud environment. Before the cloud, whoever housed the data or ran the system bore the responsibility of securing it. However, with the cloud, the responsibility falls on both cloud service providers (CSP) and cloud consumers.
While many of the security threats are the same, there are several threats unique to the cloud environment.
- Less Visibility – Shifting to cloud platforms reduces company control over operations and policies. This means the CSP possesses a certain amount of control over a company. Additionally, companies must approach security differently in that monitoring/assessing will not be network-based, since the CSP has network/platform control.
- Unauthorized Usage – Cloud computing breaks down the tradition IT department. If additional services via the cloud are required, a department would contact the CSP. However, this increases the likelihood of unauthorized access. Using software not overseen by an in-house IT department reduces visibility, control, and the ability to closely monitor for malicious activity.
- Compromised APIs – Cloud application program interfaces (APIs) run through the Internet, making them more vulnerable. APIs enable customers and employees to interact with the cloud platform. If compromised, assets and consumers could be negatively affected.
- Data Deletion – With data spread out throughout the cloud, it’s difficult to ensure data is actually deleted. While you may have deleted the data on your end, it may still exist in a CSP’s infrastructure.
- Supply Chain Vulnerability – Not all CSPs function entirely in-house. In other words, CSPs use third-parties. This can become a problem when pursuing compliance or while conducting an audit. Companies should make sure that contracts for cloud usage detail compliance expectations and enforcement measures when it comes to CSPs using third-parties.
- Insider Abuse – Since companies do not have full control over security monitoring when using the cloud, administrators who abuse their authority pose a serious threat. This is particularly true for IaaS because monitoring for malicious activity requires internal forensics.
These threats are by no means the only issues with migrating to a cloud platform. Keeping these threats in mind and taking a more cautious approach when implementing cloud technology will help mitigate potential threats.
Encryption for the Cloud
With all the threats noted above, it’s important to actively secure the cloud by using cryptographic algorithms. Encryption ensures authenticated access by scrambling data. It converts data into a code, or a ciphertext, that can only be decrypted with a specific key. This contrasts storing or transmitting data as plaintext. However, these cipher programs aren’t always used by cloud providers because it requires more bandwidth. Some providers allow limited encryption or allow customers to encrypt the data prior to uploading data to the cloud.
Data can be encrypted at rest or in transit. While the majority of cloud providers encrypt data in transit, only 9.4 percent encrypt their data at rest. This means the likelihood of a man-in-the-middle attack is low, but malicious code, a worm, or another hack could more easily acquire data at rest. Much of the data uploaded to the cloud comes from file-sharing applications. Moreover, 34 percent of file-sharing users have uploaded sensitive information, such as PII and PHI.
Types of Encryption
The general term “encryption” encompasses various other terms, including data encryption, connection encryption, and end-to-end encryption. When CSPs receive data, they encrypt it and then provide keys so it can be decrypted and processed. A “secure connection” serves as a catch-all term for securing cloud traffic whereby security protocols protect the flow of traffic. A secure connection should protect against third-parties obtaining access (unless given access), validate the identification of users, and ensure unauthorized parties cannot change the data uploaded. The definitions below will help you better understand cryptographic scrambling and a secure connection, particularly when it comes to the cloud.
End-to-end (E2EE) – E2EE encrypts data prior to sending and allows only the designated recipient to decrypt the data. The cryptographic keys only reside at the sender’s and receiver’s ends. E2EE is a type of asymmetric encryption.
Asymmetric – This type is also called public-key cryptography. Asymmetric encryption means that the public keys are not identical. One key is shared (public) and the other is private. SSH, TLS/SSL, and S/MIME use asymmetric Encryption. RSA encryption is one of the most popular types of asymmetric encryption because of its difficulty to decrypt.
AES – Advanced Encryption Standard (AES) is a military-grade encryption protocol commissioned and used by NIST. It utilizes a symmetric block cipher, meaning it uses the same key for encryption and decryption. However, unlike other encryption methods, AES uses three different block ciphers (128-, 192- and 256-bits). Each length receives a different number of transformation rounds, with each transformation making it more secure and virtually impossible to reverse without the key.
Since CSPs don’t always encrypt files, consumers and businesses must sometimes take a proactive approach by researching the encryption tools available. A 2019 WindowsReport article reviewed six different tools for cloud encryption. Below is a quick summary of two suggested tools and why they are useful. Every company should take the time to research the cloud security tools available, as they will help ease the burden on physical IT departments and lessen reliance on CSPs for security assistance.
Boxcryptor – This free service offers end-to-end encryption and uses asymmetric RSA and symmetric AES. Upgrading from the free subscriptions grants users greater control and more compatibility with multiple accounts. Among the 30 different cloud platforms, Boxcryptor works with are Google Drive, Dropbox, and OneDrive.
Cryptomator – Cryptomator operates as an open-source, subscription-free service. It uses AES encryption and each file is encrypted, even those in folders. The service is user-friendly and updated on a regular basis to strengthen its security.
Encryption Best Practices
As detailed above, data can be either at rest or in transit. For each state, there are several encryption best practices formulated to protect the confidentiality, integrity, and access to that data. The following best practices will help you start drafting or strengthen your cloud encryption policies.
- The first step, if it hasn’t already been done, is to develop a cloud encryption policy. Consider what type of encryption you want to use and what information requires such protection. A comprehensive policy must detail the types of data stored or transmitted, the type of encryption (if any) each data type garners, and the purpose of encryption (i.e., does it fulfill a regulation or protect the company itself?). Also include information about how keys will be protected and managed.
- Ranking data gives encryption a greater impact. Since not all data needs to be encrypted, taking the time to determine what data actually needs encryption saves money in the long run. Determining encryption largely depends on the regulations that must be fulfilled by a company. Does HIPAA, SOX, GDPR, etc apply? If yes, then encryption standards must, at a minimum, meet those requirements.
- It’s also important to decide when to use encryption. If sensitive information is transmitted often, implementing data-in-motion encryption is a good idea. Extremely sensitive data should be encrypted both in transit and at rest. Information that requires encryption is typically intellectual property, Personally Identifiable Information (PII), or protected health information (PHI).
- In order to use encryption effectively, companies must understand the different deployment options. The first option is to encrypt stored data via the operating system (i.e., data-at-rest encryption). Amazon Web Services and Google Cloud are just a few of the major CSPs that implement this form. The second option involves SaaS encryption in the cloud, which requires companies subscribing to the service to, by default, use the vendor’s encryption. The third options secures data while in transit using VPNs or Internet Protocol Security, but these options limit network performance. Lastly, companies can employ a cloud security service provider. These services offer software solely focused on encryption and security protocols. Datamation published a list of eight top cloud security solutions available as of April 2019.
NIST Cloud Model
The National Institute for Standards and Technology defines cloud computing as:
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.
In addition to the three services (SaaS, PaaS, and IaaS) and four deployment categories explained above, NIST’s cloud model highlights five essential functions the cloud provides. These five functions, in large part, explain why companies are so eager to embrace the cloud movement.
- On-demand self-service
- Broad network access
- Resource pooling
- Rapid elasticity
- Measured service.
Security concerns can sometimes hold companies back from maximizing efficiency through using the latest technology. The cloud can be underutilized out of security fears or embraced too quickly without enough caution. The key is to approach the cloud with caution but to nonetheless capitalize on its benefits for customers, employees, and departments. Taking the time to learn about cloud security, like encryption, enables better-informed decisions and a safer cloud environment. If you need help assessing your cloud encryption policies or are interested in learning about the different cloud security services available, contact RSI Security today.