Not All Encryption Is Created Equal

Last updated: 16 May 2016

This is the second in a series of blog posts about how to address data security in the AWS cloud environment with the SafeNet product line from Gemalto.  Topics that will be addressed include: how to store data in the AWS cloud with customer-owned encryption, roots of trust, the importance of secure key management, encryption and pre-boot authentication for EC2 and EBS, and customer-owned object encryption for Amazon S3.

The Challenges of Cloud Security

Most people know that if you want to keep your company data safe from not only hackers but also unauthorized prying eyes—such as customers and coworkers—you need to encrypt it.  After all, an encrypted environment is far more secure than an unencrypted environment because encryption equals safety . . . or does it?

Encrypting Your Data Is Not Enough

At the most basic level, encryption jumbles the contents of data (whether in files, databases, or sitting in servers) and runs them through an algorithm that renders the file unreadable —only to be decrypted with a key.  Sounds safe, right? After all, encryption algorithms are near impossible to crack without access to the encryption key. But the encryption itself is only one part of the story.  The safety of your data in the cloud is ultimately dependent on the encryption scenario you’ve put into place. For business leaders and IT administrators, this means that understanding the encryption process as it relates to the ownership of and access to company data is crucial to securing it in the cloud.

To illustrate why ownership of and access to data plays such a critical role in data security, let’s examine encryption in a “what if” scenario that replaces your company’s encrypted data with your wallet.

Scene:  The Gym

Let’s say you go to the gym and lock your wallet in a locker for safekeeping while you work out. How is the safety of your wallet affected if you drop the key on the floor or store it on the ledge above the locker? What if you give the key to a friend while you run on the treadmill or leave it with your towel at the edge of the pool while you swim laps?  What if someone finds the key and gives it to the front desk? What if you use a gym-issued lock and the facility holds a master key or copy of your key?  What if you see—or don’t see—evidence that someone has tampered with your lock?  What if the lock manufacturer created duplicates of the very same lock and key that you are using?

In each of these scenarios, your wallet is locked in the locker, but how well is it really protected if you do not have full ownership and control over the lock mechanism and the key used to secure it?

Encryption Requires Levels of Protection

Protecting data, especially sensitive data, requires various levels of data encryption protection. And, it is the responsibility of each and every data owner to execute due diligence by researching every “what if” so that the appropriate level of protection can be applied to secure their data stored in the cloud. Making sure that data is safe from unauthorized access requires enterprises to consider not only the physical and logical security of the cloud service provider but also who is encrypting the data; when and where the data is being encrypted; and who is creating, managing, and accessing the encryption keys. Much like the “wallet-in-the-gym-locker” example, encryption is more than a code and a key.

Storing Data in the Cloud with Customer – Owned Encryption

Recognized universally by analysts and experts as a necessary way to control data stored in the cloud, customer-owned encryption is fundamental to demonstrating regulatory compliance. Experts often recommend encrypting sensitive data and deploying customer-owned key management to:

  • isolate regulated and sensitive information and
  • separate encryption control and ownership from the cloud provider.

By doing so, organizations can demonstrate compliance and pass audits and, most importantly, protect sensitive data from specific attacks.

Three Rules for Encrypting Data Stored in the Cloud

  1. Own your encryption so that you—not your cloud provider—can address any and all access requests for the surrender of your company’s cloud data.
  2. Own and manage the encryption key lifecycle to ensure that your cloud data is always secure.
  3. Define and control data access permissions for company personnel, partners, vendors, customers, etc. to prevent unauthorized access to your cloud data.

Encryption Ownership:  

It’s the difference between thinking and knowing that your cloud data is secure.

I used a gym locker analogy not only because I liked how it compared to the various levels of cloud data security but also because it got me thinking about the difference between thinking and knowing that my cloud data is secure. Let’s face it; there are enough “what ifs” in business and in life. So whether you are moving data to the cloud for the first time or refining an existing cloud security scenario, knowing that your cloud data is secure with customer-owned encryption will not only give your data — and the data of your prospects, customers, clients, vendors, partners, and everyone you do business with —the protection required by business mandates, but will also give you peace of mind to attend to the business at hand (and that workout you’ve been putting off).

For more information on taking ownership of your encryption and encryption keys in the cloud, watch our on-demand webinar, Trusted Crypto in the Cloud: Best Practices for Key Ownership and Control.

Leave a Reply

Your email address will not be published. Required fields are marked *