Six security issues to tackle before encrypting cloud data
Concern about security and privacy is likely to drive adoption of cloud encryption, but there are six security issues businesses should tackle
Concern about security and privacy in the cloud will drive adoption of cloud encryption systems, but Gartner warns there are six security issues that businesses should tackle.
The expected compound annual growth rate of Software as a service (SaaS) from 2011 to 2016 is 19.5%, platform as a service (PaaS) 27.7%, infrastructure as a service (IaaS) 41.3% and security services spending 22%.
However, security and privacy are still cited by many organisations as the top inhibitors of cloud services adoption, which has led to the introduction of cloud encryption systems in the past 18 months.
While encryption is important to the secure adoption of cloud services, it should not be viewed as the "silver bullet", warns Gartner in a recent research note.
Analysts recommend that enterprises should first develop a data security plan that addresses six security issues.
Failure to do so, they say, could add cost and complexity to the adoption of cloud computing without addressing the fundamental issues of data privacy and long-term security and resiliency.
They warn that badly implemented encryption systems may also even interfere with the normal functioning of some cloud-based services.
The six issues that must be addressed are:
- Breach notification and data residency
- Data management at rest
- Data protection in motion
- Encryption key management
- Access controls
- Long-term resiliency of the encryption system
Breach notification and data residency
Not all data requires equal protection, so businesses should categorise data intended for cloud storage and identify any compliance requirements in relation to data breach notification or if data may not be stored in other jurisdictions.
Gartner also recommends that enterprises should put in place an enterprise data security plan that sets out the business process for managing access requests from government law enforcement authorities. The plan should take stakeholders into account, such as legal, contract, business units, security and IT.
Data management at rest
Businesses should ask specific questions to determine the cloud service provider’s (CSP's) data storage life cycle and security policy.
Businesses should find out if:
- Multitenant storage is being used, and if it is, find out what separation mechanism is being used between tenants.
- Mechanisms such as tagging are used to prevent data being replicated to specific countries or regions.
- Storage used for archive and backup is encrypted and if the key management strategy include a strong identity and access management policy to restrict access within certain jurisdictions.
Gartner recommends that businesses use encryption to implement end-of-life strategies by deleting the keys to digitally shred the data, while ensuring that keys are not compromised or replicated.
Data protection in motion
As a minimum requirement, Gartner recommends that businesses ensure that the CSP will support secure communication protocols such as SSL/TLS for browser access or VPN-based connections for system access for protected access to their services.
The research note says that businesses always encrypt sensitive data in motion to the cloud, but if data is unencrypted while in use or storage, it will be incumbent on the enterprise to mitigate against data breaches.
In IaaS, Gartner recommends that businesses favour CSPs that provide network separation among tenants, so that one tenant cannot see another's network traffic.
Read more on cloud encryption:
Public cloud encryption: Encrypted cloud storage options for enterprises
Trend Micro: Encryption is the foundation of cloud security
Cloud computing and data protection: Cloud computing encryption tutorial
Cloud encryption use cases
Encryption key management
Enterprises should always aim to manage the encryption keys, but if they are managed by a
cloud encryption provider, Gartner says they must ensure access management controls are in place that will satisfy breach notification requirements and data residency.
If keys are managed by the CSP, then businesses should require hardware-based key management systems within a tightly defined and managed set of key management processes.
When keys are managed or available in the cloud, Gartner says it is imperative that the vendor provides tight control and monitoring of potential snapshots of live workloads to prevent the risk of analysing
the memory contents to obtain the key.
Access controls
Gartner recommends that businesses require the CSP to support IP subnet access restriction policies so that enterprises can restrict end-user access from known ranges of IP addresses and devices.
The enterprise should demand that the encryption provider offer adequate user access and administrative controls, stronger authentication alternatives such as two-factor authentication, management of access permissions, and separation of administrative duties such as security, network and maintenance.
Businesses should also require:
- Logging of all user and administrator access to cloud resources, and provide these logs to the enterprise in a format suitable for log management or security information and event management systems.
- The CSP to restrict access to sensitive system management tools that might "snapshot" a live workload, perform data migration, or back up and recover data.
- That images captured by migration or snapshotting tools are treated with the same security as other sensitive enterprise data.
Longterm resiliency the encryption system
Gartner recommends that businesses understand the impact on applications and database indexing, searching and sorting. They should pay specific attention to advanced searching capabilities, such as substring matching functions and wildcarding such as "contains" or "ends with".
If the encryption vendor offers options for "function preserving encryption" — for example, to preserve sort — regulations may require the use of standardised and approved algorithms or proof of independent certification for the potentially weakened encryption.