Cloud encryption is a service offered by cloud storage providers whereby a customer's data is transformed using encryption algorithms into ciphertext and stored in the cloud. Cloud encryption is almost identical to on-premises encryption with one important difference: The cloud customer must take time to learn about the provider's policies and procedures for encryption and encryption key management. The cloud encryption capabilities of the service provider need to match the level of sensitivity of the data being hosted.
IT admins regard encryption as an ultimate safeguard to ensure the security of data. It is the confidentiality piece in the security triad and mandated in many compliance and regulatory standards such as Federal Information Processing Standards (FIPS), Federal Information Security Modernization Act (FISMA), Health Insurance Portability and Accountability Act (HIPPA) and Payment Card Industry Data Security Standard (PCIDSS). Encrypted data can remain unreadable and essentially meaningless without its key even when lost, stolen or breached through unauthorized access.
How does cloud encryption work?
Cloud encryption platforms encrypt data when it is transmitted to and from cloud-based applications and storage, as well as to authorized users in different locations. In addition, these tools encrypt data when it is stored on cloud-based storage devices. These measures prevent unauthorized users from being able to read data as it travels to and from the cloud or read files when they are saved to cloud storage. Storage vendors like Amazon Web Services (AWS), Dropbox, Microsoft Azure and Google Cloud provide data-at-rest cloud encryption. The software handles encryption key exchanges and the encryption and decryption processes in the background, so users don't need to take any additional steps beyond having proper authorization and authentication to access data.
Benefits of cloud encryption
Cloud encryption is a proactive defense against data breaches and cyberattacks and allows enterprises and their users to utilize the benefits of cloud collaboration services without putting data at unnecessary risk. It can ensure end-to-end protection of data when it's transferred to and from the cloud and prevent unauthorized access while stored. It also satisfies many customer and regulatory requirements for data security.
Cloud encryption challenges
While the security benefits of cloud encryption outweigh any disadvantages, it is important for admins to be aware of common challenges. In the past, performance and integration concerns have deterred many from implementing encryption as a standard practice because it's often seen as too complicated or annoying for users who need easy access to files from a host of different devices and locations. While today's systems are faster and easier to use, it's still important to trial run any platform to ensure integration and usability meet requirements. As the encryption process is resource-intensive and adds time and money to everyday activities, it's also important to monitor access times and resource usage levels.
The loss of encryption keys is a major concern, as it can render any encrypted data useless while poor key management can put critical data at risk. The biggest challenge, though, is ensuring any cloud encryption services are correctly configured and in use. A dangerous gap in any data security strategy can occur when admins think data is encrypted when it's actually not.
Cloud encryption best practices
Security teams should map out the security requirements for any data that moves to and from the cloud to ensure continued compliance with the enterprise's security policy. This will help identify cloud providers that offer sufficient encryption options and services. Security teams need to decide:
- What data requires encryption -- based on its data classification and regulatory compliance requirements
- When it needs encryption -- in transit, at rest and in use
- Who should hold the encryption keys -- the cloud service provider or the enterprise
All data in transit has to be encrypted whenever it leaves the internal network, as it will invariably pass through an unspecified number of third parties, and sensitive data should be encrypted even during internal transmission. While most data in transit can be securely handled natively in web browsers and File Transfer Protocol (FTP) software, it's imperative that all connections use a secure protocol. Virtual private network (VPN) and IP security (IPsec) are other ways of providing data-in-transit protection, but they add another layer of complexity. Cloud access security broker (CASB) tools provide security managers a unified way to control and manage cloud resources and ensure users access them in accordance with the organization's security policies.
Sensitive data uploaded to the cloud should be encrypted on premises and backed up prior to upload. This ensures data will always be available and secure in the cloud even if the account or the cloud storage provider is compromised. Several companies offer strong disk encryption at the user and network levels. Protecting sensitive data in use requires full disk and memory encryption, but this may preclude some applications from being able to process the data, so strong access controls and limited access to specific data sets are essential alternatives.
Extensive encryption key management is critical, starting with logging keys in a register to facilitating full lifecycle supervision. The keys themselves should be securely stored separate from the encrypted data, with backups off site and audited regularly. Admins should also implement multifactor authentication (MFA) for both the master and recovery keys. Some cloud encryption providers offer to manage encryption keys which is attractive to organizations that lack in-house skills and resources, but regulatory compliance requirements may require some to internally hold and manage keys.
While there are challenges associated with cloud encryption, standards, regulations and privacy requirements position it as an essential security control for most organizations and cloud providers now offer a variety of platforms to fit a range of data security needs and budgets.