Encryption is Tagged for Data Security

While the security of the cloud overall is a concern for users, the hybrid cloud poses particular problems because data will be used in both a private cloud, where tight security and oversight can be applied, and with the public cloud component where security is less certain. Securing data in both kinds of cloud, and when moving data between them, is a major priority.

A recent survey of the 250,000-plus members of LinkedIn’s Information Security Community found a range of preferences for technologies to protect data in the cloud, including access control, intrusion detection and prevention, firewalls and log management and analysis. But, encryption—for both data at rest and in motion—was clear winners.

That said, it’s not a case of simply encrypting all data since encryption, which also means decryption at some point, adds complexity and overhead management costs. Sensitive data obviously needs to be encrypted, and that may even be required for compliance reasons, but other data that’s considered not so sensitive could be left unencrypted.

The Cloud Security Alliance says a range of factors has to be understood when considering encryption:

  • Encryption should be implemented for data at rest, in motion, and in use. Use data-centric encryption for unstructured files that must be protected or stored in the cloud, or use encryption embedded into the file format whenever practical to apply protection directly to the files.
  • Don’t forget to protect files that are often overlooked but that also can hold sensitive information, such as log files and metadata.
  • Use “sufficiently durable encryption strengths” that comply with the same standards used for encrypting files that are internally maintained within the enterprise. The National Institute of Technology and Standards (NIST) recommends encryption that’s FIPS 140-2 compliant should be used.
  • Understand how all encryption/decryption keys will be managed for the entire lifecycle of the data, and whenever possible the data owner should control the encryption keys and not the cloud provider. That ensures the owner has access to critical information both now and in the future.

Agencies should not assume that simply choosing cloud providers that are certified through the Federal Risk and Authorization Management Program (FedRAMP) process will fully protect them when it comes to encryption and key management. FedRAMP refers only to a baseline of necessary security controls, so organizations should expect to have to specify key management through the service level agreements they negotiate with cloud providers.

Where data is encrypted and decrypted is also important. The user encrypting data before it’s sent to the cloud provides the highest level of security since it ensures protection even if something happens to the data on the way there, or when it arrives. It also means that data, when it’s stored in the cloud, can only be decrypted by the user if the keys are always controlled by the user.

However, encryption at this level is a complicated issue. Large IT departments may be capable of doing it, but smaller ones won’t have the resources, which is where managed security services will prove valuable.

There are alternatives to encryption such as data anonymization, where, for example, personally identifiable or sensitive information can be stripped out of the data before it’s processed. Data stored in a private cloud can also be altered before it’s sent to the public cloud and include only a reference to private cloud data.

For most purposes, however, encryption now seems to be the preferred method for hybrid cloud data protection.