In a bid to reassure customers following revelations of government intelligence agency snooping in 2013, cloud service providers including Google and Amazon have rushed out free automatic server-side encryption on their cloud services – and not before time.
The move has been seen by many as a positive one for companies that are mandated to protect customer data when running a business application on Google, but it could equally be argued that encouraging them to leave encryption in the hands of the cloud provider is a step in the wrong direction.
While it’s obvious that Google and others are covering their own backs and jumping on the marketing opportunity of NSA-related paranoia by having these security processes in place, it’s not exactly clear just how adequate their server-side measures are.
After announcing in August last year that it would be automatically encrypting all data on its cloud storage platform before it is written to disk, Google added that it would still advise data to be encrypted at the user end for those who prefer to manage their own encryption keys, emphasising that the responsibility for risk management still legally lies with the customer.
Jamal Elmellas, technical director at data security specialist Auriga, strongly advises that organisations should be wary from the outset of cloud providers with proprietary encryption software and mechanisms, especially those that retro-fit encryption to their already established solutions.
‘Encryption should be intrinsic to the solution,’ says Elmellas. ‘It should be considered from the outset by the provider, and this enables them to offer a solution which applies the most appropriate type of encryption to the right parts of the infrastructure.’
Processes, logging, auditing and total involvement by the customer are a few of the ways that risks can be minimised when outsourcing encryption, but for companies handling sensitive data, encrypting everything themselves may seem like the safest bet.
However, as Elmallas explains, this option opens up a whole new complex set of considerations.
‘It’s far easier to get cloud encryption wrong than it is to get it right,’ says Elmellas. ‘There are a number of areas which pose substantial risk to an organisation’s data and the cloud encryption approach. The more complex the cloud infrastructure the more thought needs to be applied to the encryption approach. It’s very easy to get things wrong and impact system integration requirements, speed and search-ability as well as data confidentiality and integrity.’
As for the ‘one size fits all’ approach to encryption offered by most cloud service providers, this just won’t do in an enterprise situation – a holistic method that factors into account the business lifeycle, processes and risks is essential to ensuring the right type of encryption is applied to the right data.
In the simplest generic storage scenario, this means protecting the data at rest, preferably with a key that’s only accessible to the consumer. But when you throw complexity and diversity into the cloud blender, as Elmellas puts it, ‘applying encryption to the soup of data and functionality that now exists in a public facing domain becomes somewhat more of a challenge.’
The issues that must be taken into consideration before encryption is put into place include auditing requirements, monitoring, privileged user control, data flow and work flow. Many factors should be considered so as not to impede access, breach governance or disrupt other vital business functions.
For instance, a business may apply encryption to sensitive HR data not realising that the finance department interfaces with the data set for payroll purposes on a monthly basis. This could have serious consequences if the encryption mechanisms have not been applied intelligently.
As Trish Reilly, senior product manager for cloud at Voltage Security advises, a cloud security checklist – just like the kind required for uptime or data availability – is a necessary blueprint for the cloud:
‘Think about the ability to control data assets to meet regulations, mitigate data threats and breaches in a way that is agreed upon between all parties, and grant data access to maintain business agility and data availability. The method you choose should allow you to validate and prove to auditors and the QSAs that you have protected the data.’
There are some drawbacks to using encryption in terms of performance: if an organisation’s CPU platform does not have the latest encryption support built into the chip, processes can be slowed down considerably, with an overhead exceeding 40% instead of the standard 2-6%.
‘If you have backup processes that also use encryption, you may be encrypting a file twice and have inefficient de-duplication processes and the resulting higher storage and transfer costs,’ warns Reilly. ‘If you do not have good separation of duties and key management processes in place, the encryption processes may hold risks. And as always; if you lose the key, you will lose access to the data.’
Bearer of the keys
The fundamental issue is whoever has access to the keys, has access to the data, which is why it is industry-recognised best practise to separate key management from the cloud provider to meet enterprise requirements, data residency and many compliance requirements.
But a surprising number of organisations struggle to get to grips with the key management process themselves and should tread carefully. This is why bringing in a third party to share keys with that does not have access to the data itself is often a good option.
Traditional key management concepts such as key renewal, key recovery and escrow will still come into play, however. It may seem obvious, but any form of encryption, cloud or not, is limited by the strength of the encryption key and how well the key is protected.
‘If keys are inherently weak, transmitted insecurely or not rotated properly, the encryption used is flawed, providing a false sense of security,’ warns Elmellas. ‘The key management and access mechanisms must also be easily available to the systems using it, which means it must secure, accessible and fast.’
The limitations around key management are made far worse when encryption is employed in a quick or default manner, says Orlando Scott-Cowley, director of technology marketing at cloud-based information management firm Mimecast.
‘This often occurs when admin try to rush out solutions to solve problems—very often services and software are just configured with default settings and passwords are weak,’ he says ‘Encryption keys are no different, they need to be safely stored and protected in order for the data to remain secure.’
In examples such as static PKI-based approaches, the process imposed around key generation, compromise and destruction is very manual. In many cases, points out Reilly at Voltage, authentication of the key and user is based on endpoint possession of highly secret key material over its long lifecycle – possibly years.
‘However trust and authentication is a dynamic problem,’ she stresses. ‘The risk level in accessing data, and authentication of the person or system is very dynamic in nature.’
Recently an innovative approach to key management known as stateless key management has emerged as a means to simplify data encryption at scale, and to deliver data-centric security more transparently while reducing key management risks.
This method of key management enables keys to be derived as needed, reducing traditional management cost and risks and potentially enabling far simpler key management for the cloud.
‘Techniques such as Identity-Based Encryption (IBE) provide stateless key management as a powerful public/private key method for protecting and managing keys in securing unstructured data such as files, emails and large bulk data sets,’ explains Reilly.
Through this method, enterprises are able to retain residency of live information, eliminate the need to store keys in the cloud, locate key management in different geographies, and integrate with authentication and authorisation systems easily.
As well as positive advances such as this, Pete Nicoletti, chief information security officer at cloud platform provider Virustream, sees it likely that organisations will soon benefit from tools that will further simplify the key management process.
‘Currently encryption and key management are functions that are managed separately from the Hypervisor Manager, and the management of encryption agents and associated keys requires advanced support, trained personnel and following extensive and strict processes.’ says Nicoletti. ‘Over the next few years, more robust APIs will be written and used to orchestrate the encryption function programmatically from one, usually simple, interface.’
As far as key management and encryption security as a service in the cloud are concerned, they may become one of those ‘killer’ cloud services for a select few. But, Ryan Rubin, UK managing director of business consultancy Protiviti, explains, ‘We need to be cautious that similar to the promises of PKI several years ago, the market is ready and the technology robust enough to service client demands.’
Compliance standards such as VISA PIN standards, ANSI Key Management Standards, NIST standards, ISO standards and PCI DSS, which are already relatively mature in key management practices, might soon become established benchmarks for regulators to adopt and measure organisations against them.
But whilst the foundations of tools and technology are there to support this market, Rubin believes there is a way to go before key management can mature, and businesses can finally be absolutely certain they have the best key management and encryption system possible:
‘Getting key management right is a challenge for many companies and unless appropriate measures are followed – both business operations and technology, establishing a trust in this space will take time and be hard to maintain longer term.’