I've started to joke that the growing adoption for cloud computing could be renamed the "Stored Data Encryption Engineer Full Employment Act." Encryption has always been an essential security tool, but for the most part, we haven't used it very often to protect stored data. That's starting to change due to the double whammy of cloud computing, and a heck of a lot of public data exposures.
Now the reasons for cloud computing encryption aren't necessarily what you think. The most common belief is it is to protect data from the administrators of your cloud service (and this is mostly applied to public cloud computing). Your cloud provider peering at your data is definitely a potential risk, but for most of you it's probably a small one. This also makes it seem as if you don't need to encrypt private cloud data.
Cloud encryption drivers
Aside from the usual reasons you would encrypt data (in or out of the cloud) there are two primary drivers that become more important with cloud computing:
- Clouds are managed by APIs, not physical access. Thus, someone can duplicate and move large amounts of data if they gain administrative access to the management plane on a scale simply not possible with traditional infrastructure. All it takes is one compromised admin system (assuming you've failed to segregate) to steal your entire cloud-based data center.
- Clouds are multitenant by nature, even when private. Encryption provides greater isolation of your data from other users (even administrators). It allows you to use a more open shared infrastructure, while still protecting your own data -- if you do it right.
With those reasons in mind, let's look at the two kinds of IaaS storage and how you should encrypt them for IaaS security.
Cloud encryption: Object storage
First up is object storage, such as Amazon S3 or OpenStack Swift. Object storage is a file/object repository. Think of it like a file server vs. a hard drive. Although you can configure most object storage systems to encrypt all the data they store, this isn't granular and only protects against lost drives, not someone else gaining access to your files.
To protect your files in a shared repository, you need to use an architecture I call “virtual private storage.” Just as virtual private networks allow us to encrypt private data and then use a public network, virtual private storage allows us to protect private data in public storage.
It's pretty simple in principle: Encrypt your data before you send it off to the cloud. Depending on what you're doing, this can be automated within the agent/application you use to access the object storage. For example, I use Dropbox (which stores files on S3) and I protect the sensitive ones by placing them in an encrypted volume that's stored on the service. Only I have the key, so my data is safe.
Cloud computing encryption: Volume storage
Next, we have volume storage, such as Amazon EBS or RackSpace RAID. These are the storage systems you use when running persistent compute instances in the cloud. They emulate a regular hardware volume, and thus we encrypt them using similar techniques.
The first option is to encrypt the volume attached to your instance. Your instance isn't encrypted (that's more complex for a boot volume), but you store the sensitive data on an encrypted volume attached to the instance. There are a lot of tools that support this, and they don't even need anything special to work in the cloud. For extra security, you can store the key outside your instance (sorry, that's fodder for future articles due to space limits).
The next option is to use a special encryption proxy between your compute instance and either a storage volume or a second instance working as a file server. This is useful when you have a bunch of instances connecting to the same storage, or need to emulate a wider range of storage types than supported by the tools in your instance. These proxies are generally commercial products, and are basically virtual appliances you run within your cloud environment.
Finally, and especially for private or hybrid clouds, you can use externally managed encryption tools, which might even be physical hardware. These are, again, commercial products and are useful for leveraging existing encryption investments or for more complex deployment scenarios.
Now I don't mean to oversimplify IaaS storage encryption. There are a lot of options and use cases I don't have the space to cover, but the IaaS security basics aren't as complex as you might think. The Cloud Security Alliance’s training includes a hands-on volume encryption exercise that only takes about 10 minutes.
About the author:
Rich Mogull has nearly 20 years of experience in information security, physical security, and risk management. Prior to founding independent information security consulting firm Securosis, he spent seven years at Gartner Inc., most recently as a vice president, where he advised thousands of clients, authored dozens of reports and was consistently rated as one of Gartner's top international speakers. He is one of the world's premier authorities on data security technologies, including DLP, and has covered issues ranging from vulnerabilities and threats to risk management frameworks and major application security.