March 24, 2014 By Rick Robinson 3 min read

As industry and government assess the use of the cloud for the storage of data and the hosting of everything from infrastructure to applications, we are all working diligently to provide cloud encryption and make the cloud secure. But I want to take a step back and ask a possibly redundant question: What makes us believe we can make the cloud secure?

To find the answer, we should consider whether we have ever faced a challenge that is similar to securing the cloud; if so, we must examine the outcome. What was the approach to security? What was the presumptive theory that was the basis of the security strategy? Are we reinventing the wheel, or is there something from history that can tell us we should consider a different direction?

One way to tell whether cloud solutions are likely to be secure is to view them from the perspective of a historical linguist and cryptographer of the 19th century.

Look to Kerckhoffs for Cloud Encryption

Auguste Kerckhoffs was a Dutch linguist and cryptographer who lived in the 19th century and wrote an essay entitled “La Cryptographie Militaire” (Military Cryptography). Within this essay and other articles, he advocated that a practical cipher design should consist of six principles. One such principle, now known as Kerckhoffs’ principle, states that “the design of a system should not require secrecy, and compromise of the system should not inconvenience the correspondence.”

In other words, a secure system does not have to be secret to be secure. The only thing that should give a user access to the information within the system should be the key.

Think about that. If Kerckhoffs was correct — he presumably was and still is — it means that, in order for the cloud to be secure and provide cloud encryption, nothing about how the cloud is deployed or configured should give an attacker an advantage. The only thing that should allow a user access to the data in the cloud should be having access to the keys; that, by Kerckhoffs’ principle, is a secure cloud.

To simplify the matter further, this means that when we look at cloud encryption and security strategies, we must talk about good, fundamental key management strategies. The reason for this is that, to make your cloud security strategy pass the litmus test of Kerckhoffs’ principle, you must have key management that is a fundamental technical control for restricting access to the data. This is the same strategy that we use when you park your car, leave your house, close your office, close your desk, log out of your computer or a myriad of other activities that we do on a daily basis. We keep our keys with us, even though our “stuff” is somewhere else.

 

Keepers of the Keys

We all know Clouds come in many forms, including these among others:

  • Intranet
  • Internet
  • Hybrid
  • Infrastructure-as-a-service (IaaS)
  • Platform-as-a-service (PaaS)
  • Software-as-a-service (SaaS)

Presumably, some or all of your cloud is not under your control, but your keys should be. A perpetrator may be a cloud administrator, hacker or mischievous user. These different threats, and these different forms of the cloud, require different approaches to data protection; but the underlying principle is that the data in the cloud must, at a minimum, be encrypted. Moreover, these keys that are used for encrypting the data must be properly managed.

Kerckhoffs’ principle is a nonnegotiable requirement if we are going to deploy any solution that serves cryptography for business as part of a secure cloud solution. Some secure data solutions can require millions of encryption keys; others generate and deploy over 250,000 encryption keys per year just to maintain alignment with enterprise policy and procedure. In order for a secure cloud solution that can serve organizations with these kinds of requirements to be considered, the key management strategy of the solution must be able to manage keys at this scale.

Whether we are talking about little clouds or big clouds, private clouds or public clouds, when we wonder whether the cloud can be secure, we can look to history and see that, according to Kerckhoffs, the answer is yes, the cloud can be secure. We just need good key management.

 

More from Cloud Security

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Cloud threat report: Possible trend in cloud credential “oversaturation”

3 min read - For years now, the dark web has built and maintained its own evolving economy, supported by the acquisition and sales of stolen data, user login credentials and business IP. But much like any market today, the dark web economy is subject to supply and demand.A recent X-Force Cloud Threat Landscape Report has shed light on this fact, revealing a new trend in the average prices for stolen cloud access credentials. Since 2022, there has been a steady decrease in market…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today