Cloud Encryption Explained

April 21, 2015 By Anthony Scotney

Significant cost drivers have squarely placed the cloud in the sights of CIOs. Unfortunately, these drivers have often been stalled by a fear that the cloud is an exposed environment that is not only difficult to secure but also a regulatory nightmare. Fortunately, there are concrete mechanisms that can protect cloud applications against crippling data loss, leaks and breaches. Cloud data protection (also known as Cloud Encryption) is one such mechanism that forms the focus of this post.

Cloud data protection

Encrypting sensitive information before it leaves the corporate network, destined for the cloud has obvious benefits. There are ways to perform this encryption without encumbering end users or breaking integration points. In fact, this approach to encryption is designed to integrate seamlessly with cloud applications.

Applications stand as the weak point that is often exploited in attacks that lead to data breaches, data leaks and data loss. The majority of data breaches loosely fall into two categories; user credential (username/password) based attacks or application vulnerability attacks. The Verizon 2015 Data Breach Investigations Report notes that 70% of data breaches over the last year "still rely on decades-old techniques such as phishing and hacking". Preventing these two categories of attack is a challenge, but not an insurmountable one.

User credential theft has been reported over the last decade as a leading cause of data breaches. I will not cover how to protect user accounts against data breaches here, as that is covered in a previous post - 4 Key pieces of the Cloud Security Puzzle. This post is strictly focused on discussing encryption mechanisms that can be employed to protect content within the cloud application in the event that user credentials are breached or the application or back-end system is exploited.

Why Encrypt Cloud Application data?

Encrypting information before it reaches the cloud is a critical foundation for protecting confidential data against data breaches. If sensitive application data is encrypted before it leaves the corporate network, then it is secure even if the end application or user accounts are breached. In the event of a breach, attackers gain information that is encrypted and thus rendered useless.

Cloud data encryption

It is important to note at this point that when we talk about Cloud Encryption, we are specifically discussing encrypting the actual application data - this is completely distinct from SSL/TLS and Database encryption. This new approach (cloud data protection) secures data before it is transmitted to the cloud. The end cloud application only ever receives, and therefore stores, encrypted information. Data is only decrypted when it comes back through the corporate cloud encryption gateway (i.e. StratoKey).
Cloud encryption

This process of encryption and decryption between the user and the cloud is completely seamless. There is no user interaction or manual intervention. In fact, it is not uncommon for cloud data protection gateways to live in the background (network), encrypting and decrypting data without end users ever knowing. This seamless approach is critical as security should never encumber or weigh down users.

Data protection via encryption clearly has benefits for compliance with various data privacy and security requirements. Assuming the appropriate grade of encryption is applied, it can assist in mitigating data residency and data sovereignty issues.

The Cloud Encryption Challenge

One of the great challenges when encrypting application data before it reaches the cloud is ensuring that both humans and systems can interact and work without the loss of functionality, or user encumbrance. Encrypting everything will break application functionality. Not enough encryption and confidential information is at risk from data loss, leaks and breaches. There is a careful balancing act with in-application encryption.

Information that's input into the cloud deployed application needs to be categorized to determine what fields will protect the confidentiality of the information in the event of a breach. The categorization is a straight forward process. Once information is categorized, the appropriate type of encryption can be evaluated.

Different levels of encryption can be applied to fields based upon this data categorization. Some fields may need to be searchable and fixed length, thus making them a candidate for searchable encryption or Format Preserving Encryption (lower grade). Other fields such as banking information, or taxation identifiers may require a higher confidentiality grade and thus qualify for non-searchable AES encryption. This categorization is an important facet of data protection.

The alibility to mix and match encryption types on a single page is a necessary feature of any cloud data protection solution. This allows one to implement an appropriate solution that fits the data protection needs specific to the field.

Seamless User Access

User access to encrypted information within the application must be seamless and not require additional logins or special access requirements. This is where a cloud encryption gateway is necessary. This gateway sits between users and the end application, providing seamless encryption and decryption of data. This should be virtually invisible to end users. The gateway itself should be deployable either behind the corporate firewall or even out in the cloud itself.

The general architecture is that the encryption happens at the network level and is completely hidden from the end user. Hiding the encryption layer is a design feature, much like the way SSL/TLS secures your network traffic. Encryption should be completely seamless with users remaining unencumbered.

This encryption gateway should not only provide seamless encryption of data in and out of the application, it should also strengthen user access, increase visibility and monitor for anomalies. Any product that does not have these features is wasting the opportunity to significantly improve overall security for the end application.

Back-end Integrations - Encryption SDK

One important piece of any encryption gateway is ensuring that there are ways to integrate back-end systems. Any encryption gateway that is provided must also have library support enabling it to be plugged into existing systems with minimal effort and minimal impact on performance.

This library support can be used to automate back-end processing such as bulk encryption/decryption of files, fields, or assist reporting engines to decrypt content as extracted from the cloud application. Support for this automated processing is crucial, as at some point, enterprise systems are likely to need the ability to integrate with other systems.

I will leave out the discussion around integrations with enterprise systems such as Active Directory etc. These are a given and do not specifically relate to the discussion.

In future articles we be covering specifics on cloud data protection such as encrypting Salesforce data, and integrations with cloud services such as Amazon's S3 storage.

# # #

About StratoKey

StratoKey is an intelligent cloud data protection gateway that automatically blocks unauthorized access to your sensitive data, so you can do secure and compliant business in the cloud. StratoKey employs encryption, behavioural analytics and automated countermeasures to prevent data breaches, leaks and loss. If you are interested in learning more about how StratoKey can assist in securing your cloud deployment, please contact us.