Imagine if you had a way to make all of the valuable possessions in your home become worthless (or of little value) if they left the perimeter of your home? There would be no incentive for a thief to steal from you. Why bother with the risk, time and effort to burglarize your home if there is no meaningful payoff? Now imagine if you could do the same with your data in your data center, or in a cloud environment such as cloud storage or cloud servers. If any data or piece of information left the cloud perimeter it would be rendered useless.
While the first scenario is still a fantasy, the good news is the second scenario is a reality. At least it should be a reality for every IT organization and it MUST be a reality for every cloud-based IT organization. The mechanism to enable this is data encryption, which we call “protecting data at rest.” In the last blog we reviewed protecting data in flight. Here we will discuss protecting data once it arrives at its cloud destination.
Protecting data at rest simply means that any data stored on cloud-based storage is encrypted. Without the right encryption and right algorithm, no one can read and use the data. Stolen encrypted credit card data or personally identifiable information is rendered useless and of no value. Data thieves would not be able sell such stolen information. So whether the data be in a datafile or in a datafield in a database, cloud data must be encrypted, never stored in the clear.
There are three strategies a data owner can follow to implement cloud data encryption.
Strategy 1: On-premises data encryption
In this approach the data owner ensures that any data stored in the cloud is encrypted before it is transmitted to the cloud destination. This requires the data owner to manage and control the encryption keys and encryption algorithm. There are commercial products (such as SafeNet) that provide these encryption capabilities as well as open source solutions.
Strategy 2: Cloud service provider-based encryption
Many cloud providers and cloud storage providers have built-in back-end encryption capabilities. Once the data arrives at the cloud destination it is automatically encrypted. The data owner does not need to do anything extra or manage the encryption keys and algorithm. Whenever the data is retrieved from the cloud provider, it is decrypted before it is transmitted back to the data owner. For example, users of Dropbox storage service have their data automatically encrypted whenever they save a file to Dropbox. Amazon Web Services provides users the option to encrypt data on their S3 storage service through a configuration setting. In this strategy the encryption keys and algorithm are fully owned and managed by the cloud service providers
This approach offloads the operational management of an encryption infrastructure. However, for some business environments, the tradeoff is not acceptable for regulatory and compliance reasons since control and management of the encryption keys are not under the control of the data owner. For these scenarios the next strategy is necessary.
Strategy 3: Self-managed cloud-based encryption
In this model the data owner uses a cloud-based encryption engine but owns the encryption keys. A cloud-based appliance handles all of the encryption and decryption of the data, by the encryption keys stored and managed securely onsite at the data owner’s data center. The data owner generates encryption keys and securely transmits them to the cloud-based appliance. The cloud-based appliance then handles all of the encryption and decryption work for all cloud stored data. This approach reduces appliance latency since the cloud data is close to the cloud application.
Each of these strategies for protecting data at rest has its advantages and disadvantages. The particular details, security requirements and application performance will determine which approach is best to take. What is nonnegotiable is the fact that any data stored in the cloud MUST be encrypted.