Cloud security and web application security demand technology and practices that protect applications and data hosted remotely. Good old-fashioned data encryption is chief among these. The reasons for encrypting cloud data, of course, are privacy, security and regulatory compliance — all standard for any successful enterprise. At the bottom of all this is the idea of being intentional about encryption, knowing the standards you need to meet and the specifics of your group’s needs. Make sure you’re seeing the whole picture with our guide.
Encryption basics are, well, basic. The process scrambles data, transforming it into a cyphertext until someone applies keys, turning it back into readable or usable data. But that’s the simplest step.
Encrypting sensitive cloud data is like safeguarding cash at a bank. You want to control who has access to the vault, and also control who has access to the code that opens the vault. Properly encrypted data in the cloud can be even more secure than keeping it locally.
Regulations Demand Strong Encryption
Specific regulations protect different kinds of data, depending on whether it’s medical, financial or consumer data. The first step on your compliance journey is to know which regulations cover what data. From there, you can learn how to encrypt and manage that data.
Compliance rules can guide encryption in several ways. For example, data may need to be fully or only partially invisible to, say, customers or specific groups of employees. Part of a credit card number or social security number may need to be visible depending on who is looking the number up.
What Type of Cloud Security Encryption Do You Need?
How do you know what type of encryption to use for the cloud security you need? While there are many encryption types, products and services out there, there are two broad ways to encrypt data. The first, a symmetric algorithm or secret key algorithm, uses the same keys for both encryption and decryption. This method is faster, and may be better for the bulk processing of data that isn’t very sensitive. But it’s also less secure, since anyone with the keys can decrypt.
The second method, an asymmetric algorithm, involves one public and one private key. The public key is for sharing; the private key should be kept secret. Using this and private key encryption at the same time is, of course, the most secure.
When it comes to how to apply this to your business, you should encrypt cloud data while transferring it (from cloud to user and from cloud to cloud), and while storing it. Major cloud providers offer data-at-rest encryption, usually using the vendor’s own tools. And third-party companies also offer encryption services for this data.
HTTPS encryption protects most data in transit. But for truly sensitive data, you may want additional encryption.
Cloud Security Challenges…
Not all data moving in the cloud should be encrypted. But it’s a good cloud security best practice to encrypt personal information, company secrets and work under copyright. Basically, encrypt any data essential to the functioning of the business.
Some challenges stem from this. For example, creating the right encryption service architecture involves making sure only the right people at the right time can access the data. In addition, complex hybrid cloud environments can be a challenge simply because they’re so involved. Architectural differences for cloud encryption — including storage-level, application level, file system based and agent based — make this more complex as well.
… and Benefits
Encryption by itself cannot secure data. It must be combined with good practices. Here are some tips on how to leverage good cloud security through encryption.
The most important of these is sound key management. Use a key management system that works with the tools you have. Your encryption key management needs to be compatible and flexible. If you lose the keys to encrypted data that has not been backed up, you’ve destroyed that data.
Make sure key backups are kept offsite and are subject to audits on a regular schedule. Like passwords, you should change or refresh your encryption keys from time to time. Use multi-factor authentication for both the master and recovery keys.
Create a cloud encryption policy that specifies what data will be encrypted, where it will reside and who will hold the encryption keys. Also, specify how this policy helps you abide by regulations.
Mistakes happen, but there are ways to avoid them. For example, it’s fairly common to rely on low-level encryption, such as file encryption, for sensitive data. That may not be enough. Make sure you size the encryption strength right for the importance of the data. Another common error is to assume that meeting regulatory compliance guarantees your data will be secure. That’s not always the case.
Being intentional in cloud encryption means covering all the bases with sound policies. That includes good key management, and choosing solutions and practices that assure your data is private, secure, and stored according to regulations. Doing this in a sustainable and manageable way means you’re getting the best out of encryption when it comes to cloud security.
I write a popular weekly column for Computerworld, contribute news analysis pieces for Fast Company, and also write special features, columns and think piece...