Getty Images/iStockphoto


Where cloud cryptography fits in a security strategy

IT teams face a never-ending challenge as they try to secure data. When that data lives in the cloud, encryption is a key concern. Implement these data encryption tips and tools.

Mathematically secure, unbreakable encryption is the cornerstone of modern infrastructure, including cloud-based infrastructure.

Without cloud cryptography, there would be no cloud computing. The risks of data loss as a result of misplaced disks, weak passwords, network snooping or theft would be too high.

Let's review different types of cloud encryption strategies, services and best practices to help bolster your security strategy and maintain working applications.

Data encryption methods

Cloud cryptography is applied to data via encryption, which comes in two forms: symmetric and asymmetric. The differences between the two are significant.

Symmetric encryption. In symmetric encryption, the same key is used to perform both encryption and decryption. Someone in possession of a copy of the key can decrypt and encrypt information. Any exposure of the key renders the data encryption, and therefore the privacy and protection, useless. It also presents problems with how to securely get the key into the hands of the originator.

Asymmetric encryption. The asymmetric encryption process involves two keys: a public key and a private key. Anyone with the public key can easily send information securely; only those with the private key can decrypt it. It's a one-way function if you have only the public key. Because it doesn't present the same security issues as that of symmetric encryption, a team can comfortably distribute a public key.

Compare symmetric vs asymmetric encryption
Compare two types of data encryption methods.

Encryption in transit refers to encrypting the data as it moves across the network between servers, users and infrastructure. For example, when someone browses a secure HTTPS-enabled website, they use encryption in transit. HTTPS demonstrates how asymmetric and symmetric encryption can work together to make improvements.

The downside of asymmetric encryption is that it consumes a lot of CPU, meaning a web server can handle fewer sessions. To work around this, consider asymmetric encryption for the initial connection and then securely negotiate a symmetric key to use for that session. This method lowers CPU overhead and keeps away attackers and snoopers.

Apply encryption broadly

The costs of encryption pale in comparison to the cost of data loss or theft.

A modern environment contains plenty of sensitive information, so IT teams should apply encryption widely. Instead of asking, "Why should we encrypt this?" ask yourself, "Why not?" The costs of encryption pale in comparison to the cost of data loss or theft.

For data that needs the most protection, users can apply encryption to data in use. For example, VMs are encrypted while running. This helps prevent any rogue process that escaped one VM being able to read the memory of another VM.

An organization can use encryption to protect data in different scenarios. One of the most commonly used types is encryption at rest. Almost all cloud providers have encryption at rest on the disks and any important media.

In highly regulated environments, the loss of an unencrypted disk can have significant reputational and financial repercussions. A device that's lost but encrypted, however, is far less significant, and the public fallout should be minimal.

Manage keys carefully

While keys themselves are relatively straightforward, key management is crucial to a properly managed environment. Most cloud providers will offer key vaults to store sensitive information, such as API keys and certificates. Cloud vendor offerings for encryption include Google Secret Manager, Azure Key Vault and AWS Key Management Service.

Key management is an important part of cloud security
When a cryptographic key and a plaintext message are added to a cryptographic algorithm, the result is an encrypted message.

As for encrypted VMs, cloud providers obviously have a huge interest in providing quality encryption. The snag is that customers understandably don't want to pass their encryption keys to a service provider.

Depending on the systems, a vendor can manage the cloud encryption process.

Most major vendors provide the functionality to encrypt not only the cloud storage and data but also the VMs in the cloud environment. The essential aspect of all this is to responsibly own and manage the keys. While a cloud service provider is an ally in the security fight, an organization's staff needs to be vigilant to ensure that the encryption strategy and cloud cryptography best practices are put into action.

Dig Deeper on Cloud infrastructure design and management

Data Center