The Cloud is more popular than ever these days. But, unfortunately, with popularity comes risk. The more widely used technology is, the more that cybercriminals will try to find a way to hack it and turn it against the users–as is the case with the Cloud.

Why Do You Need Cloud Encryption?

The growing trend of unsecured cloud configurations is due to businesses neglecting vulnerabilities in the Cloud–or failing to properly assess their cloud environment to discover unseen security risks. Waiting until you experience a cyber attack isn’t wise. You need to start protecting your cloud data now with encryption.

How Does Cloud Encryption Work?

Encryption data is formatted in a secret code that would be meaningless if intercepted. It’s one of the most efficient ways to secure a database given that encryption can only occur through a key, which is essentially a secret password.

Encryption keeps data from anyone including service providers and administrators. Taking this small preventive measure can ensure that your most sensitive information remains highly secure. Always make sure that your cloud storage services offer local encryption for data. This provides double security because files must be decrypted to gain access.

What About Data In Transit To & From The Cloud?

Encryption is especially important when your data is being transmitted, whether it’s being sent via an email, or between your office and your offsite data storage location. You must ensure that in the case the wrong party intercepts your data, they won’t be able to use it against you.

You need to encrypt data in transit, in use and at rest. Most companies do a good job of encrypting data in transit, but not so much with data at rest. And, data should stay encrypted up until the time you need to use it.

The best thing to do is to encrypt data when it’s created so that when it is stored in a data center in the Cloud, it will be protected. Both the decryption keys and the decrypted versions of the data should be available only within a protected transient memory space.

Who’s Responsible For Encrypting Data In The Cloud?

While privacy experts agree that encryption is the most effective technology to secure data in the Cloud, doing this can be daunting tasks for businesses. With so many different types of encryption available, small to mid-size businesses are finding this difficult to do on their own.

In large enterprises, the Chief Information Security Officer is often tasked with this responsibility. In a small or mid-sized business, a designated manager must ensure data is encrypted in the Cloud. This is often outside their realm of expertise.

Your cloud service provider must ensure encryption services are reliable, available and secure. The basic security measures used to secure the Cloud include:

  • Data encryption and masking.
  • Data collection and classification.
  • Monitoring of data and file activities.
  • Data access control.
  • Secure data erasure.

The three security measures at the control level are:

  1. Access Management
  2. Identity Management
  3. Privileged Identity Management

Your Technology Service Provider is responsible for access and identity management, where privileged identity management is a shared responsibility between the cloud provider and tech service company.

Who Is Responsible For Encrypting Data In Cloud Applications?

If you use customer relationship management (CRM) applications such as Saleforce.com, and enterprise file sync and share (EFSS) applications these typically use secure web connections, such as transport layer security (TLS) encryption to send data from your keyboard or servers to the web application.

However, some cloud storage applications let you create a secure link between your network or mobile systems and the cloud storage application. Once the data reaches the cloud service provider’s servers, the application provider encrypts it.

As data is added to the file in an application, encryption should be an integral part of the whole so that security moves with the data.

Who Is Responsible For Security & Encryption With Different Cloud Models?

Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) are cloud models that you might use. Of the different cloud models, your Technology Service Provider must assume responsibility for IaaS security and encryption, but the cloud provider is responsible for the secure transition from IaaS to SaaS.

With PaaS and SaaS, the responsibility for encrypting cloud data is shared. With PaaS, the cloud provider must secure the database using sophisticated tools and encryption to monitor and secure access.

Segregating SaaS solutions that automatically encrypt the cloud data within applications can ensure that important data is protected. It’s also essential that the data is protected in such a way that it won’t impact your company’s business processes negatively.

With the expansion of mobile application use, you should consider having your Technology Service Provider manage your encryption keys rather than relying on someone inside your organization. This is where many businesses run into problems if they try encrypting data on their own.

Where Should Encryption Keys Be Stored?

Where you store your encryption keys is crucial. In the past, the most important task the IT manager had when it came to encryption was managing the encryption keys. They had to separate the encryption key from the encrypted data to ensure it remained secure. Some companies make the mistake of storing them with the data. You never want to do this.

Encryption keys should be kept on a separate storage block or server. And you should always keep a backup of all your keys in an offsite location in case of disaster, just like you do with your data. And the backup should be audited every few months for assurance.

How Often Should Cloud Encryption Keys Be Changed?

Encryption keys need to be changed regularly. In most cases, they will expire automatically, but not always. So you’ll need to keep a “refresh” schedule. Another thing to remember is to use multi-factor authentication whenever using your master and recovery encryption keys.

What Are Some Of The Challenges When It Comes To Encrypting Data In The Cloud?

Most problems occur when data is needed for a mobile device that doesn’t have the decryption key. In this case, the user won’t be able to read the data after it’s downloaded.

Problems also occur when some try to share data with a business associate, but they don’t want them to have access to the decryption keys.

Key management can create issues. It can be complicated for businesses managing their own encryption keys when changing or destroying encryption keys is required. This can involve millions of files. Your Technology Service Provider can add a layer of protection to keep encryption keys separate from the encrypted data stored in the Cloud.

Using Transport Layer Security (TLS) (the successor protocol to Secure Sockets Layer (SSL)) eliminates this issue. However, some legacy systems running older operating systems, such as Windows XP, can’t use TLS. And some still use servers running SSL to support these older systems, even though there is the possibility of confidential data being compromised. The only way to deal with this and remove the risk is to disable SSL entirely.

Another common issue is that small and mid-sized business must trust that the cloud provider is better at protecting their data than they are. Cloud service providers don’t function under the same data breach disclosure laws as banks, federal agencies or other businesses.

Plus, when breaches do occur they usually aren’t associated with the cloud providers. Instead, the business owning the data is responsible, even if the source of the breach was with the cloud hosting company. When a breach like this is publicized, the negative publicity usually affects the company that owns the data.

What Should You Remember About Cloud Encryption?

In the end, it’s up to the owner of the data to protect it. This is why it’s so important to encrypt data in the Cloud.

Here are 4 takeaways to remember:

  1. Encrypt cloud data with approved algorithms and long, random keys;
  2. Encrypt cloud data before it passes from your business to the cloud provider;
  3. Data must remain encrypted in transit, at rest, and in use;
  4. The cloud provider should never have access to the decryption keys.

Due to the multitude of recent cyberattacks on large data centers and commercial sites, all businesses in Utah including those in retail, healthcare, government, banking, financial services or law should adopt cloud encryption as a standard practice.

For more information visit our Media Center.