While there has been extraordinary growth in the cloud vertical in the last few decades, one area that concerns many who want to move their business operations to the cloud is cloud security. With data breaches increasing by the day, businesses need to pay close attention to data security. After all, privacy and security challenges are real, and businesses need to address the issue to keep their proprietary content safe.
So, what should businesses do to counter the challenge?
You need to encrypt your data to keep it safe. Yes, data encryption is the bare minimum that businesses need to look at seriously if they want to keep their company information safe and secure.
But when it comes to encryption in the cloud or cloud encryption, it can get confusing for small and mid-size businesses because numerous options are available. To keep your proprietary content safe, you need reliable data encryption solutions for the cloud.
Businesses, therefore, need to know the challenges of cloud security. Let us take you through why on-storage security isn’t enough and what security issues to consider.
On-premise security isn’t enough
Encryption is not a new technology. In the past, encrypted data was stored on the company servers that resided on-premises, with the company having direct control over its data. But that is not the case these days. Nowadays, most of the business applications that are hosted on the cloud involve third-party vendors. That is why you either need to select a cloud provider that allows you to encrypt your data before you send it to the cloud for storage or processing, or involve a software-as-a-service (SaaS) provider to manage your encryption and decryption needs.
Companies may not always have a choice. For example, some CRM applications use secure web connections like TLS or transport layer security encryption to transfer data from the user’s servers or keyboard to web applications. In some cases, cloud storage applications allow users to create a secure link between their network and cloud storage application. When the data reaches the servers of the cloud service provider, the service provider encrypts it to protect the data at rest.
However, one of the challenges for IT managers in the cloud environment is managing the encryption keys. According to Cortney Thompson, CIO at Green House Data, it is essential to separate the encryption key from the encrypted data to keep the data secure.
“One area we caution our healthcare clients to watch out for is the storage and use of encryption keys,” Thompson says. “They often store the keys in the same location as the data itself.”
Also, applications can store keys in memory when they are in use. It is important to keep encryption keys on a separate server or storage block. And, you need to keep a backup of all your keys in an offsite location in case of eventualities. Make sure to audit the backup after every couple of months. “Encryption keys also need to be refreshed regularly,” adds Thompson. “This is often forced on companies as the key itself is set to expire automatically, but other keys need a refresh schedule. Consider encrypting the keys themselves (though this leads to a vicious circle of encryption on top of encryption). Finally, give master and recovery keys multi-factor authentication.”
According to Vic Winkler, a cybersecurity and information security consultant, all of your corporate data does not require encryption, and all your users do not have the same need to access data. Companies need to determine which information they want to encrypt and what they think can be stored in plain text.
To protect your important data, you can segregate data using software-as-a-service applications that can automatically encrypt data within the applications. You also need to ensure that you store your data in a way that does not negatively affect your business processes.
As the corporate officer in charge of security, you need to make sure that you protect your company information in all three states – data in transit, use, and at rest. According to Winkler, companies do a good enough job of protecting their data in transit by using TLS, but data at rest and in use still needs improvement.
It is important to understand that you need to protect your data at rest. The best way to do it is to encrypt your sensitive data when it is created. When you encrypt data upon creation, it remains protected when it is stored in a data center locally or in the cloud. According to Winkler, application security is just like a layer cake. As you add data to an application, the security should never be compromised so that the security keeps moving up with the data.
According to Manny Landron, senior manager of security and compliance at Citrix, with the rise in mobile applications, businesses should consider allowing their service provider to manage the encryption keys instead of managing it in-house. But companies, in this case, can face a problem – when the data is encrypted before it is uploaded to a cloud storage provider and if that data is needed on a mobile or remote device, the subsequent download becomes useless, he says. But the problem gets compounded when you have to share data with your business partner, and you don’t want to give access to decryption keys.
When you manage keys on your own, key rotation and destruction can also become more complex. When you engage a third-party proxy provider, they can add another layer of protection by keeping the keys separate from the encrypted data at a cloud service provider.
According to Landron, companies should ask their service providers and SaaS partners to explain what protocols they use for data transmission. After the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack in 2014, SSL or Secure Socket Layer has fallen out of favor. Instead of SSL, implementing TLS eliminates the vulnerability.
Apart from key management, businesses also need to understand that any data breach will affect them more than the impact it would have on the service provider. Irrespective of who is at fault for the data breach, you or your cloud service provider, the law is more stringent for those who own the data. Therefore, it is your responsibility to protect your data. That is why the Cloud Security Alliance (Security Guidance for Critical Areas of Focus in Cloud Computing), recommends that sensitive data be:
- Encrypted for data privacy and have approved algorithms with long and random keys.
- The data should be encrypted before it moves on to the cloud provider from the enterprise.
- The data should remain encrypted at all times – in transit, at rest, and in use.
- You should never give access to decryption keys to the cloud service provider and its staff.
Here are some of the top cloud data security challenges that businesses need to be careful about:
Data breach – As mentioned earlier, in the cloud environment, you don’t have control over the physical hardware and network. Vulnerable cloud environments can be targeted by hackers, easily compromising your company information. You can use data encryption, tokenization and threat prevention tools to safeguard your data.
Data loss – Storing your data in the cloud can be tricky if you don’t know how to protect it. With multiple users working in the cloud at the same time, you can easily lose data. Accidental file deletion, using personal devices without passwords and password sharing can all cause cloud data loss. You can use disaster recovery tools and dedicated systems to avoid malicious attacks. Also, you should protect both your network layer as well as the application layer.
Insider threat – Your employees can also threaten the security of your data. Poor security awareness among your employees, phishing (clicking on a malicious link sent via emails), and employee blackmail can all compromise your company’s sensitive information. Educate your employees and combine identity management with automated user access to mitigate the threat.
DDoS attacks –Distributed denial of service (DDoS) attacks are designed to send too much traffic to the web servers, rendering a website useless for hours or even days. The DDoS security framework is more difficult and complex to control because cloud computing uses different types of virtualization technologies and is based on shared distributed computing resources. A DDoS attack can result in revenue loss, decrease in brand authority, and lower customer trust.
API security – Application Programming Interfaces (API) are a set of protocols that allow various cloud-based applications to connect seamlessly. As APIs need credential authentication and direct access to communicate with each app, they can pose a potential security threat to cloud computing. As the number of APIs grows, the chances of a security breach also increase.
You can implement SSL encryption to establish secure communication. But as mentioned earlier, SSL has now fallen out of favor – implementing TLS can help you get over the problem.
Disaster recovery – Natural disasters or power outages can prevent organizations from accessing their infrastructure. When such a situation arises, it can last for several minutes or even hours. During this period, the organization does not have any control over its most critical data. Your employees cannot access the system or tools during this period, and you also cannot transmit data until the outage continues. Put in place a disaster recovery strategy and review the security options of your cloud provider.
Security issues to consider
Encryption in the cloud should not be viewed as the silver bullet in data security. As an organization, you need a data security plan for cloud encryption.
Here are some security issues to consider when encrypting cloud data.
The key issue to consider is the password or the security key. If you lose the assigned password during the process of encryption in the cloud, it is very difficult to retrieve the data. Another major problem with passwords is that people choose common words that are easy to guess.
Another cloud encryption issue is that it gives a false sense of security. It is widely perceived that the encoded data cannot be breached because of its complex processes and procedures. But data security is a more complex issue that has no perfect solution. As an organization, you should not consider cloud encryption as the be-all and end-all of security.
The other thing to keep in mind when it comes to cloud encryption is that it needs cooperation. For example, if an employee shares a file that needs to be kept confidential, the file should be encrypted before sending. Failing to follow protocol creates opportunities for security breaches. All members of your organization need training to ensure the consistent compliance that is necessary for encryption to succeed.
eServe offers reliable cloud-based encryption for business of all sizes, types and geographic locations. From our physical data center to the cloud, eServe helps organizations remain protected and in control. Contact us to learn more about our comprehensive solutions.