Subscribe

Encrypting data in the cloud

Cloud encryption endeavours to make a company's data unreadable to anyone but the company itself.

Stuart Hardy
By Stuart Hardy, business development director of EOH Global Networks Division UK.
Johannesburg, 24 Nov 2016

The widespread adoption of cloud applications in the enterprise has come hand-in-hand with security issues as well as concerns around regulations and compliance. Cloud computing shares resources that were previously never shared, bringing with it new problems that need new security practices to solve.

Encryption in the cloud can seem daunting.

Many cloud apps function with very little visibility or control over the handling of a company's most sensitive data. While this benefits the business in many ways, as the pain is taken out of operationalising business applications, it's a real thorn in the side of security teams.

Although data security is a top concern, effective data protection and strong encryption in the cloud is possible and available through a number of providers. While encryption is the standard tool that privacy experts say is the lynchpin of security, encryption in the cloud can seem daunting. With myriad types of encryption available, companies are battling to decide which approach to take. Cloud encryption essentially promises to make a company's data unreadable to anyone but the company itself. However, it's not without its issues and it might not be suitable for all businesses.

For most enterprises, the major drivers behind cloud encryption are the need to protect their proprietary information such as intellectual property and trade secrets, as well as to protect highly regulated customer data such as personal information or financial logins. Data residency is another reason many companies go the encryption route, as data stored in the cloud might be subject to different regulations, depending on where it resides.

Encryption is far from a new technology, but in the past, encrypted data was stored on servers that lived on-premises and totally within the company's control. With many essential business applications hosted in the cloud, executives need to depend on having solid contracts in place with their cloud providers to protect their information, or go with a provider that allows them to encrypt the data before it is sent to storage.

In certain cases, the companies have no choice at all, as certain CRM applications, for example, already make use of secure Web connections such as transport layer security encryption to transfer data from the individual's keyboard or servers to the Web application. Other cloud storage applications enable the user to create a secure link between their company network and the application. Once the data arrives at the provider's servers, the application provider will usually encrypt it so it is secure at rest.

Keys are key

However, encryption is not without challenges of its own. There are encryption keys that need to be separated from the data to keep it secure. There are too many occasions where the encryption keys are stored with the data. I don't need to explain why this is such a danger. Encryption keys must be kept on an entirely separate server or storage unit. A backup of all the keys also needs to be kept somewhere offsite in the event of a disaster.

Moreover, encryption keys must be refreshed on a regular basis. Often this happens automatically as keys are set to expire on a certain date and time, but others need to be done on a schedule. Although it's an onerous process, companies should consider encrypting the keys themselves, but this can get complicated. However, as a matter of course, master or recovery keys should make use of multifactor authentication. Also, the cloud provider and its employees should never have access to decryption keys, under any circumstances.

Finally, bear in mind, not all data needs the same protection, and not all users need access to all information. Decide what the company's most valuable data is, use the strongest security measures around that data, and always enforce principles of least privilege.

Share