Cloud Security – Protecting data at rest and in transit – Information Risk Management for the Cloud

By Sudhindra Kumar, Principal Software Engineer at NextLabs

In my previous blog, we discussed about Data Governance Policies and Regulatory Compliance.

In this post, we’ll see some of the options available to protect data at rest and in transit. A few years ago, protecting data in transit was considered more important than protecting data at rest. However, with the proliferation of Internet and cloud technologies, and the subsequent issues related to data breaches have put the spotlight on protecting data at rest as well. Let us take a look at different solutions for protecting data at rest and in transit:

Encryption is important to both data in motion as well and at rest. Choosing a strong encryption algorithm and defining a good key management policy are critical for the successful usage of encryption. The generation, storage, distribution, recovery and destruction of encryption keys must be well defined in the security policy. Most of the Cloud Service Providers (CSPs) can encrypt the data at rest as well as in transit. By default, CSPs provide their own Key Management Infrastructure (KMI) as part of their cloud services.  For improved security, customers can also choose to have their own KMI. My personal recommendation is to create your own KMI. This will give you better control over your data. It is never safe to keep the encryption key along with the data it encrypts. Consider options like secret sharing or Hybrid cryptosystems for better protection of the encryption keys.

You can also consider Homomorphic Encryption to protect the data. Homomorphic encryption will allow operations to be performed on encrypted data, without having to decrypt it. This would allow systems/applications to communicate securely with each other without ever having to exchange unencrypted data. This technology is still in a nascent stage, but you can expect to hear more of about this in the near future. Additionally, there’s an open source library called HElib which provides low-level routines for Homomorphic Encryption.

Another option to consider is Data Masking or Tokenization. Data Masking replaces parts of critical data with irrelevant characters, (so people are not authorized cannot see it) rendering the data useless in its current form. Tokenization is the process in which confidential data, such as a “Credit Card Number” or “Patient’s physical examination result” is replaced with an alternate value called a token.

Last but not least, you can also consider Rights Management. With Rights Management, you can control access to your cloud data and also how the cloud-stored data can be used. It works particularly well for unstructured data, such as documents and files stored in the cloud – think Google Drive, Dropbox or Skydrive.

What we’ve discussed so far are viable options for Platform as a Service and Infrastructure as a Service, where you have control over how data is managed on the platform or infrastructure. Even then, it is important to automate the protection of data.  Manual protection does not provide 100% compliance, but automation does provide 100% compliance. Ideally what data needs to be protected and how it is to be protected should be policy-driven so as to minimize user errors.

But, how do we protect data on Software as a Service? Automating the protection of data on SaaS is harder since you typically have much less control over how data is managed on these services. Major SaaS providers do provide options to encrypt sensitive information. If you trust the provider, you can settle for the encryption they provide. Otherwise, you can encrypt the data yourself before sending it to the SaaS application. This might be too cumbersome for the majority of end users. A better option would be to use an encryption proxy to encrypt and decrypt the data transferred to andfrom the provider. This proxy intercepts all communication with the SaaS application and encrypts and decrypts sensitive data. This can add a layer of security to the data without the end user being aware of it. The flip side of this option is that the proxy needs to have complete knowledge of the SaaS application in order to seamlessly integrate data encryption. Also, any change in the SaaS application can easily break the proxy. If none of these are acceptable, you can choose the data residency option that some CSPs provide. In this, you can choose where sensitive data in the SaaS application should reside. You can decide to keep it in-house or host it in a trusted secure 3^rd party data center. This might also be mandated by the regulatory requirements of some countries which prohibits storing sensitive data in foreign locations that don’t come under their jurisdiction.

Do keep in mind that Encryption is not a silver bullet that will solve all problems of data protection. Exponentially increasing computing power is making encryption algorithms vulnerable (read this blog to understand some of the potential vulnerabilities). There are also cases of State Security Agencies allegedly trying to break encryption technologies, as mentioned in this New York Times article. In fact, many countries have legislation that mandates disclosure of encryption keys on a need basis. Here’s a list of some of the countries that have such legislation.

It is imperative to have strong access control mechanisms in addition to encryption.  This can help negate insider attacks. It is also strongly advised that you use encryption for all forms of cloud computing – public, private and hybrid.  Given the increase in insider-led data breaches, encryption and access controls should be equally extended to Private Clouds.  Audit information must be collected and reviewed on a regular basis for access to sensitive data.  Today’s I.T. environments are heterogeneous, with new technologies and devices working alongside legacy systems. Care must be taken to ensure that the data protection solution you choose works for all these technologies.