When it comes to cloud data encryption, are all solutions equal?
As concerns continue to mount over data breaches, data security, and regulatory compliance, particularly in public cloud environments, a growing number of cloud service providers (CSPs) are stepping up to the plate with beefed-up encryption offerings to assuage their customers' concerns. The additional encryption these CSPs now provide can certainly aid in protecting sensitive data from some types of attacks, but is CSP-provided cloud data encryption enough to secure your data and achieve compliance?
In many cases, the answer is no, and the reason why is simple: Turning over control of encryption to a third party is like locking your house up…and giving someone else the keys. When it comes to cloud data encryption, control of your encryption keys is critical. The more control you have of your encryption keys, the more control you have over the security of your data, and vice versa. CSP access to your encryption keys makes your organization vulnerable in several different ways.
Rogue admins and DBAs
We've said it before… insider threats at CSPs are no laughing matter. A rogue admin or database administrator (DBA) can steal or leak your data, and if they have the encryption keys, that data will be in the clear. Identity theft and corporate espionage can promise big profits for unscrupulous employees. The fewer the opportunities such employees have to gain from your sensitive data, the safer your data will be. The Economist recently reported that in banking and finance industries more than 12 percent of information theft is by insiders.
Session hijacking while data is in the clear.
The type of encryption many cloud providers offer is storage encryption. When it's in use, for example in database queries, search and indexing or other application-level processing, and in APIs and the user interface, that data is in the clear. Should a session be hijacked, the data will be exposed.
Forced disclosure and surveillance
When you hand someone else your keys, that someone else can open your house up to anyone who asks. In public cloud environments, those requests may come from government agencies as part of surveillance initiatives, and your CSP may not notify you or wait for your permission before unlocking your data. If you keep the encryption keys yourself, anyone wishing to view your corporate data must first notify you and gain your permission, giving you a chance to consider and respond to the request as appropriate for your legal and business needs.
For all these reasons and more, customer-side gateway encryption is a much more effective cloud data protection strategy. When you encrypt your data before it ever leaves your premises and retain exclusive control of your encryption keys, you prevent both hackers and rogue CSP insiders from gaining access to your data in the clear and ensure control over disclosure of your data to government agencies.
Customer-side gateway encryption ensures that you stand a better chance of remaining in compliance with data protection and data residency regulations, too. CSP-provided encryption satisfies some protection regulations, but not all. It won't be enough to remain in compliance with PCI DSS, GLBA, or the U.K. ICO Directives, for example. And as regulatory bodies continue to catch up with cloud computing technologies, the restrictions will no doubt narrow even further. Additionally, when cloud providers encrypt data only after it's uploaded to their cloud, you may breach some data residency laws due to your data traveling unprotected outside of your jurisdiction to the CSP's jurisdiction.