Cloud Storage Encryption is an important technology to consider and use when implementing systems that allow for secure data storage and usage from the cloud.
Although having encryption enabled on all data across the enterprise architecture reduces the risks associated with unauthorized data access and exposure, there are performance constraints and concerns to be addressed.
It is your responsibility as a cloud professionals to implement encryption within the enterprise in such a way that it provides the most security benefits, safeguarding the most mission-critical data while minimizing system performance issues as a result of the encryption.
Encryption can be implemented within different phases of the data lifecycle:
DIM: Technologies for encrypting data in motion are mature and well defined and include Internet protocol (IP) security protocol
(IPSec), virtual private network (VPN), transport layer security/secure sockets layer (TLS/SSL), and other wire-level protocols.
DAR: When the data is archived or stored, different encryption techniques should be used.
The encryption mechanism itself may well vary in the manner in which it is deployed, dependent on the timeframe or indeed the period for which the data is stored.
Examples of this include extended retention versus short-term storage, data located in a database versus a file system, and so on. This module discusses mostly DAR encryption scenarios.
DIU: Data that is being shared, processed, or viewed.
This stage of the data lifecycle is less mature than other data encryption techniques and typically focuses on IRM and DRM solutions.
Sample Use Cases for Encryption
The following are some use cases for encryption:
- When data moves in and out of the cloud for processing, archiving, or sharing.
- Encryption will be used for data in motion techniques such as SSL/TLS or VPN to avoid information exposure or data leakage while in motion.
- Protecting data at rest such as file storage, database information, application components, archiving, and backup applications.
- Files or objects that must be protected when stored, used, or shared in the cloud.
- When complying with regulations such as HIPAA and PCI DSS, which in turn requires relevant protection of data traversing untrusted networks and protection of certain data types.
- Protection from third-party access via subpoena or lawful interception.
- Creating enhanced or increased mechanisms for logical separation between different customers’ data in the cloud.
- Logical destruction of data when physical destruction is not feasible or technically possible
Cloud Encryption Challenges
There are myriad factors influencing encryption considerations and associated implementations in the enterprise.
Using encryption should always be directly related to business considerations, regulatory requirements, and any additional constraints that the organization may have to address.
Different techniques will be used based on the location of data—whether at rest, in transit, or use—while in the cloud.
Different options might apply when dealing with specific threats, such as protecting personally identifiable information (PII) or legally regulated information, or when defending against unauthorized access and viewing from systems and platform administrators.
Cloud Storage Encryption Challenges
The following challenges are associated with encryption:
- The integrity of encryption is heavily dependent on control and management of the relevant encryption keys, including how they are secured.
- If the CSP holds the keys, not all data threats are mitigated because unauthorized actors may gain access to the data through the acquisition of the keys via a search warrant, legal ruling, or theft and misappropriation.
- Equally, if the customer is holding the encryption keys, this presents different challenges to ensure they are protected from unauthorized usage as well as compromise.
- Encryption can be challenging to implement effectively when a CSP is required to process the encrypted data.
- This is true even for simple tasks such as indexing and the gathering of metadata.
- Data in the cloud is highly portable. It replicates, is copied, and is backed up extensively, making encryption and key management challenging.
- Multitenant cloud environments and the shared use of physical hardware present challenges for the safeguarding of keys in volatile memory such as random access memory (RAM) caches.
- Secure hardware for encrypting keys may not exist in cloud environments, with software-based key storage often being more vulnerable.
- Storage-level encryption is typically less complex and can be more easily exploited and compromised, given sufficient time and resources.
- The higher you go up toward the application level, the more challenging the complexity to deploy and implement encryption becomes.
- However, encryption implemented at the application level is typically more effective at protecting the confidentiality of the relevant assets or resources.
- Encryption can negatively affect performance, especially high-performance data processing mechanisms such as data warehouses and data cubes.
- The nature of cloud environments typically requires you to manage more keys than traditional environments (access keys, API keys, encryption keys, and shared keys, among others).
- Some cloud encryption implementations require all users and service traffic to go through an encryption engine.
- This can result in availability and performance issues both to end-users and to providers.
- Throughout the data lifecycle, data can change locations, format, encryption, and encryption keys. Using the data security lifecycle can help document and map all those different aspects.
- Encryption affects data availability.
- Encryption complicates data availability controls such as backups, disaster recovery planning (DRP), and colocations because expanding encryption into these areas increases the likelihood that keys may become compromised.
- In addition, if encryption is applied incorrectly within any of these areas, the data may become inaccessible when needed.
- Encryption does not solve data integrity threats.
- Data can be encrypted and yet be subject to tampering or file replacement attacks. In this case, supplementary cryptographic controls such as digital signatures need to be applied, along with nonrepudiation for transaction-based activities.
Cloud Storage Encryption Architecture
Encryption architecture is very much dependent on the goals of the encryption solutions, along with the cloud delivery mechanism.
Protecting DAR from local compromise or unauthorized access differs significantly from protecting DIM into the cloud. Adding controls to protect the integrity and availability of data can further complicate the process.
Typically, the following components are associated with encryption deployments:
- The data: This is the data object or objects that need to be encrypted.
- Encryption engine: This performs the encryption operation.
- Encryption keys: All encryption is based on keys. Safe-guarding the keys is a crucial activity, necessary for ensuring the ongoing integrity of the encryption implementation and its algorithms
Data Encryption in IaaS
Keeping data private and secure is a key concern for those looking to move to the cloud. Data encryption can provide confidentiality protection for data stored in the cloud. In IaaS, encryption encompasses both volume and object storage solutions.
Basic Cloud Storage Encryption
Where storage-level encryption is utilized, the encryption engine is located on the storage management level, with the keys usually held by the CSP.
The engine encrypts data written to the storage and decrypts it when exiting the storage (that is, for use).
This type of encryption is relevant to both object and volume storage, but it only protects from hardware theft or loss.
It does not protect from CSP administrator access or any unauthorized access coming from the layers above the storage.
Volume Cloud Storage Encryption
Volume storage encryption requires that the encrypted data reside on volume storage. This is typically done through an encrypted container, which is mapped as a folder or volume.
Instance-based encryption allows access to data only through the volume OS and therefore protects against the following:
- Physical loss or theft
- External administrator(s) accessing the storage
- Snapshots and storage-level backups being taken and removed from the system
- Volume storage encryption does not protect against access made through the instance of an attack that is manipulating or operating within the application running on the instance.
Two methods can be used to implement volume storage encryption:
- Instance-based encryption: When instance-based encryption is used, the encryption engine is located on the instance itself. Keys can be guarded locally but should be managed external to the instance.
- Proxy-based encryption: When proxy-based encryption is used, the encryption engine is running on a proxy instance or appliance. A proxy instance is a secure machine that handles all cryptographic actions, including key management and storage.
- The proxy maps the data on the volume storage while providing access to the instances. Keys can be stored on the proxy or via the external key storage (recommended), with the proxy providing the key exchanges and required safeguarding of keys in memory
Cloud Storage Object Storage Encryption
The majority of object storage services offer server-side storage-level encryption, as described previously.
This kind of encryption offers limited effectiveness, with the recommendation for external mechanisms to encrypt the data before its arrival within the cloud environments.
Potential external mechanisms include the following:
File-level encryption: Examples include IRM and DRM solutions, both of which can be effective when used in conjunction with file hosting and sharing services that typically rely on object storage.
The encryption engine is commonly implemented at the client-side and preserves the format of the original file.
Application-level encryption: The encryption engine resides in the application that is utilizing the object storage. It can be integrated into the application component or by a proxy that is responsible for encrypting the data before going to the cloud.
The proxy can be implemented on the customer gateway or as a service residing at the external provider
Cloud Storage Database Encryption
For database encryption, the following options should be understood:
File-level encryption: Database servers typically reside on volume storage. For this deployment, you are encrypting the volume or folder of the database, with the encryption engine and keys residing on the instances attached to the volume.
External file system encryption protects from media theft, lost backups, and external attacks but does not protect against attacks with access to the application layer, the instances OS, or the database itself.
Transparent encryption: Many database management systems contain the ability to encrypt the entire database or specific portions, such as tables.
The encryption engine resides within the database, and it is transparent to the application. Keys usually reside within the instance, although processing and managing them may also be offloaded to an external Key Management Service (KMS).
This encryption can provide effective protection from media theft, backup system intrusions, and certain database and application-level attacks.
Application-level encryption: In application-level encryption, the encryption engine resides at the application that is utilizing the database.
Application encryption can act as a robust mechanism to protect against a range of threats, such as compromised administrative accounts and other database and application-level attacks.
Because the data is encrypted before reaching the database, it is challenging to perform indexing, searches, and metadata collection.
Encrypting at the application layer can be challenging based on the expertise requirements for cryptographic development and integration
Key management is one of the most challenging components of any encryption implementation.
Even though new standards such as Key Management Interoperability Protocol (KMIP) are emerging, safeguarding keys and appropriately managing those keys are still the most complicated tasks you will need to engage in when planning cloud data security.
Following are some common challenges with key management:
- Access to the keys: Leading practices coupled with regulatory requirements may set specific criteria for key access, along with restricting or not permitting access to keys by CSP employees or personnel.
- Key storage: Secure storage for the keys is essential to safeguarding the data. In traditional in-house environments, keys were able to be stored in secure dedicated hardware.
- This may not always be possible in cloud environments.
- Backup and replication: The nature of the cloud results in data backups and replication across several different formats.
- This can affect the ability for long- and short-term key management to be maintained and managed effectively.
Key Management Considerations
Here are some considerations when planning key management:
- Random number generation should be conducted as a trusted process.
- Throughout the lifecycle, cryptographic keys should never be transmitted in the clear; they should always remain in a trusted environment.
- When considering key escrow or key management “as a service,” carefully plan to take into account all relevant laws, regulations, and jurisdictional requirements.
- Lack of access to the encryption keys will result in a lack of access to the data. This should be considered when discussing confidentiality threats versus availability threats.
- Where possible, key management functions should be conducted separately from the CSP to enforce separation of duties and force collusion to occur if unauthorized data access is attempted.
Key Storage in the Cloud
Key storage in the cloud is typically implemented using one or more of the following approaches:
Internally managed: In this method, the keys are stored on the virtual machine or application component that is also acting as the encryption engine.
This type of key management is typically used in storage-level encryption, internal database encryption, or backup application encryption. This approach can help mitigate the risks associated with lost media.
Managed by a third party: This is when a trusted third party provides key escrow services.
Key management providers use specifically developed secure infrastructure and integration services for key management.
You must evaluate any third-party key storage services provider that may be contacted by the organization to ensure that the risks of allowing a third party to hold encryption keys are well understood and documented
Key Management in Software Environments
Typically, CSPs protect keys using software-based solutions to avoid the additional cost and overhead of hardware-based security models.
Software-based key management solutions do not meet the physical security requirements specified in the National Institute of Standards and Technology (NIST) Federal Information Processing Standards Publication (FIPS) 140-2 or 140-3 specifications.3
The ability of software to provide evidence of tampering is unlikely. The lack of FIPS certification for encryption may be an issue for U.S. federal government agencies and other organizations.