The need for the use of Cloud encryption, cryptography and encryption is universal for the provisioning and protection of confidentiality services in the enterprise.
In support of that goal, the Cloud encryption blog should ensure that he understands how to deploy and use cryptography services in a cloud environment.
In addition, it’s important to integrate strong key management services and a secure key management lifecycle into the cryptography solution.
What does “Cloud Encryption” mean?
The need for confidentiality along with the requirement to apply additional security controls and mechanisms to protect information and communications is great.
Whether it is encryption to a military standard or simply the use of self-signed certificates, everyone has different requirements and definitions of what secure communication and cryptography-based infrastructure look like.
As with many areas of security, encryption can be subjective when you drill down into the algorithms, strengths, ciphers, implementation methods, and so on.
As a general rule of thumb, encryption mechanisms should be selected based on the information and data they protect, while taking into account requirements for access and general functions.
The critical success factor for encryption is to enable secure and legitimate access to resources while protecting and enforcing controls against unauthorized access.
The cloud architect and administrator should explore the appropriate encryption and access measures to ensure that proper separation of tenants’ information and access is deployed within public cloud environments.
Additionally, encryption and relevant controls need to be applied to private and hybrid cloud deployments to adequately and sufficiently protect communications between hosts and services across various network components and systems.
What does “Data in Transit (Data in Motion)” mean in cloud computing?
Also described or termed data in motion, data in transit focuses on information or data while in transmission across systems and components typically across internal and external (untrusted) networks.
Where information is crossing or traversing trusted and untrusted networks, the opportunity for interception, sniffing, or unauthorized access is heightened.
Data in transit can include the following scenarios:
- Data transiting from an end-user endpoint (laptop, desktop, smart device, and so on) on the Internet to a web-facing service in the cloud
- Data moving between machines within the cloud (including between different cloud services), such as between a web virtual machine (VM) and a database
- Data traversing trusted and untrusted networks (cloud- and non-cloud-based environments)
Typically, the cloud architect is responsible for reviewing the way data in transit will be protected or secured at the design phase.
Special consideration should be focused on how the cloud will integrate, communicate, and allow for interoperability across boundaries and hybrid technologies.
Once implemented, the ongoing management and responsibility of data in transit reside in the correct application of security controls, including the relevant cryptography processes to handle key management.
Perhaps the best-known use of cryptography for the data in transit scenario is secure sockets layer (SSL) and transport layer security (TLS). TLS provides a transport layer– encrypted “tunnel” between email servers or message transfer agents (MTAs),
Whereas SSL certificates encrypt private communications over the Internet using private and public keys.
These cryptographic protocols have been in use for many years in the form of hypertext transfer protocol secure (HTTPS), typically to provide communication security over the Internet,
It has now become the standard and de facto encryption approach for browser-to-web host and host-to-host communications in both cloud and non-cloud environments.
Recent increases show several cloud-based providers using multiple factors of encryption, coupled with the ability for users to encrypt their data at rest within the cloud environment.
The use of symmetric cryptography for key exchange followed by symmetric encryption for content confidentiality is also increasing.
This approach looks to bolster and enhance standard encryption levels and strengths of encryption. Additionally, IP security (IPSec), which has been used extensively, is a transit encryption protocol widely used and adopted for virtual private network (VPN) tunnels;
What does “Data at Rest” mean in cloud computing?
Data at rest focuses on information or data while stagnant or at rest (typically not in use) within systems, networks, or storage volumes.
When data is at rest, appropriate and suitable security controls need to be applied to ensure the ongoing confidentiality and integrity of information.
Encryption of stored data, or data at rest, continues to gain traction for both cloud-based and non-cloud-based environments.
The cloud architect is typically responsible for the design and assessment of encryption algorithms for use within cloud environments.
Of key importance for both security and performance is the deployment and implementation of encryption on the target hosts and platforms.
The selection and testing of encryption form an essential component before ensuring performance impacts some cases, encryption can affect performance.
User interface (UI) response times and processor capabilities are up to a quarter or even half of the processor in an unencrypted environment. This varies depending on the type, strength, and algorithm.
In high-performing environments with the significant processor and utilization requirements, encryption of data at rest may not be included or utilized as standard.
Encryption of data at rest provides, assists, and assures organizations that opportunities for unauthorized access or viewing of data through information spills or residual data are further reduced.
Note that when information is encrypted on the CSP side and in the event of discrepancies or disputes with the providers, it may prove challenging to obtain or extract your data.
What does “Encryption/crypto Key Management” mean in cloud computing?
In the old traditional banking environments, two people with keys were required to open the safe; this led to a reduced number of thefts, crimes, and bank robberies.
Encryption, as with bank processes, should never be handled or addressed by a single person.
Encryption and segregation of duties should always go hand in hand.
Key management should be separated from the provider hosting the data, and the data owners should be positioned to make decisions (these may be in line with organizational policies) but ultimately should be in a position to apply encryption, control,
Manage key management processes, select the storage location for the encryption keys (on-premises in an isolated location is typically the best security option), and retain ownership and responsibilities for key management.
What are the Importance of Key Management in cloud encryption?
From a security perspective, you remove the dependency or assumption that the CSP is handling the encryption processes and controls correctly.
Also, you are not bound or restricted by shared keys or data spillage within the cloud environments because you have a unique and separate encryption mechanism to apply an additional level of security and confidentiality at a data and transport level.
What are the “Common Approaches to Key Management” in cloud encryption?
For cloud computing key management services, the following two approaches are most commonly utilized:
Remote Key Management Service (KMS): This is where the customer maintains the KMS on-premises. Ideally, the customer will own, operate, and maintain the KMS. This way the customer can control the information confidentiality, and the CSP can focus on the hosting,
Processing, and availability of services. Note that hybrid connectivity is required between the CSP and the cloud customer for the encryption and decryption to function.
Client-Side Key Management: Similarly to the remote KMS approach, the client-side approach looks to put the customer or cloud user in complete control of the encryption and decryption keys.
The main difference here is that most of the processing and control is done on the customer side.
The CSP provides the KMS; however, the KMS resides on the customer’s premises, where the customer generates, holds, and retains the keys. Note that this approach is typically utilized for SaaS environments and cloud deployments.