Cryptography has been with us since the dawn of human civilization. People have wanted to keep sensitive information...
from prying eyes long before the invention of the complex, computer-based encryption methods that we utilize today. The ancient Greek protected their secret messages by tattooing them on the shaved head of a messenger. The messenger’s hair would grow back while traveling to their destination and render the message invisible. The receiver of message would just need to know a good barber in order to read the secret message upon arrival.
So what does this have to do with companies putting sensitive data in the cloud? Just like the ancient Greek, we are trying to keep our secrets safe from prying eyes. The methods have changed, but the goal remains the same. One of the best ways to ensure confidential data is protected in the cloud is to utilize encryption for data in transit and data at rest. There are still potential issues with encryption that need to be considered when investigating cloud services. Almost all cloud service providers support encryption for data in transit, but few offer support for data at rest. The cloud encryption capabilities of the service provider need to match the level of sensitivity of the data being hosted.
Cloud encryption options
The basic business model of the typical cloud services provider is based on the idea of scalability: The more customers that can utilize shared resources the better the profit margin for the cloud services provider. This idea works in reverse as well: The more customers that can utilize shared resources, the lower the cost paid by each of the customers. These facts play a critical role in the decision of the cloud provider to offer encryption services. Encryption consumes more processor overhead, so it lowers the number of customers per resource and increases overall costs. Most cloud providers will only offer basic encryption on a few database fields, such as passwords and account numbers, for this reason. There are usually options available from the cloud provider to encrypt the entire database, but this will dramatically increase cost to the point where cloud hosting is more expensive than internal hosting.
Some cloud providers have been offering alternatives to encryption that don’t have the same performance impact. These techniques include redacting or obfuscating confidential data. This can sound appealing, but is just another form of “security through obscurity:” Neither technique is effective in securing confidential data because both are easily bypassed.
Another cloud encryption alternative that may be offered by service providers in order to reduce the encryption performance penalty will be its own custom encryption solution. This is a major red flag for potential customers for several reasons. The current encryption standards have been thoroughly tested and verified over many years and by many brilliant engineers and cryptographers. A cloud service provider is unlikely to fund this level of development of a proprietary encryption standard and won’t receive the same level of public scrutiny and feedback as the currently accepted standards. This creates the strong possibility of a cryptographic mistake, which could leave the customer data vulnerable to exposure. Proprietary encryption standards should be avoided at all costs.
The cloud provider that offers a standard-based encryption solution may still have other risks that need to be considered. Encrypted data is only as secure as the private key used to encrypt it. Key management becomes a critical issue and the cloud provider must have policies and procedures in place for storage, generation and archival of private keys. It’s important to keep in mind that anyone that possesses that private key has access to your confidential data.
Additional cloud encryption considerations
There are still other operational encryption issues that must be considered when utilizing a cloud service provider. These operational processes include the policies and procedures for the encryption of tape backups and other removable media, such as DVD-R and USB devices. Your data may be safely encrypted in the provider’s database, but if it uses unencrypted media in its operations you may still be at risk of exposure; it’s important to understand these operational risks before putting your data in the provider’s care.
Finally, there are still other areas where technology does not permit encryption. The actual processing of the data by the cloud provider will require that the data be decrypted at some point. This may be changing with the advent of homomorphic encryption, which was demonstrated by IBM in 2009 and allowed data to be processed while still being encrypted. This is a future technology, but it would certainly increase the security capabilities of cloud providers.
Cloud encryption and compliance
So the million-dollar question becomes: “Should regulated data be put into the cloud?” It’s certainly possible to maintain compliance with regulations while utilizing cloud services. Encryption plays a big role in compliance as many regulations require specific data elements to be encrypted. This type of requirement is present in GLBA, PCI DSS and HIPAA, to name a few. The most important guidance on encryption is publically available from NIST 800-111 and FIPS-140-2. These standards can help you evaluate the encryption capabilities of a cloud provider for compliance with regulations.
Encryption is a powerful tool that can be used effectively to protect a company’s confidential data in the cloud. It’s important for a company to investigate and understand how the cloud provider utilizes encryption in their operational procedures. Only then can a company confidently utilize cloud providers knowing that their confidential data is protected by encryption. Modern encryption algorithms far surpass the protections that were available to the ancient Greeks for their sensitive data --and no one will need their head shaved.
About the author:
Joseph Granneman, CISSP, has over 20 years in information technology and security with experience in both healthcare and financial services. He has been involved in the Health Information Security and Privacy Working Group for Illinois, the Certification Commission for Health Information Technology (CCHIT) Security Working Group, and is an active InfraGard member.