Until a decade back, encryption was only a nice to have security measure for most enterprises. But over the last decade, there has been increasing incidents of data breaches stemming from unencrypted sensitive data. With data and workloads moving to the cloud at an accelerated pace, it has become more complex to manage and secure sensitive data. As organisations migrate their sensitive data to the cloud, cloud data encryption (CDE) is becoming increasingly critical.
The recent Forrester report “Best Practices: Cloud Data Encryption” highlights the reasons why it is critical to encrypt the cloud data. In this blog we will cover some of these critical reasons as highlighted by Forrester and, point out some of the best practices and strategies for securing data, integrating CDE into applications and simplifying operations.
Why is it critical to encrypt your cloud data?
These are some of the key reasons highlighted by Forrester:
- Migrating workloads to the cloud without data protection is challenging.
Most enterprises do not have a reliable way to separate sensitive data from non-sensitive and feel they need to encrypt all kinds of data, structured as well as unstructured, before moving them to the cloud. Recent spate of cloud data breaches has only made these organizations more hesitant to move unencrypted data to the cloud.
- Data privacy compliance and audit requirements are getting stronger and more pervasive.
Most companies are subject to stringent privacy regulations like PCI-DSS, GDPR, CCPA, GLBA, HIPAA etc. Earlier these requirements were mitigated by storing data in air-gapped, on-prem systems which is just not possible with cloud environments.
- Multicloud deployments are dispersing data to multiple locations requiring a multicloud data security strategy.
Multicloud deployment means that your data is in too many places: AWS, Azure, GCP, Salesforce, SAP etc. etc. This in turn leads to lack of full visibility into your data and requires heavy administrative support to manage and control data migration.
- Customer owned key management is still problematic with legacy, on the prem, commercial off the shelf (COTS) apps.
Lot of organizations continue to use legacy, on the prem, commercial off the shelf (COTS) apps. And when it comes to migrating these to the cloud, they entirely rely on ISVs who purely migrate the on prem app to the IaaS platform without any rewriting or refactoring. This is problematic for a customer owned key management as these old COT apps do not have any concept of BYOK.
Cloud Data Encryption best practices to secure data
Retain Control of Your Encryption Keys – One of the fundamental best practices of key management is to avoid storing encryption keys in the same location as the data it is used to encrypt/decrypt. For workloads containing sensitive data, it is a best practice to generate and store your encryption keys outside the cloud where the data resides to prevent unauthorized access to key material from cloud service provider employees or compromised cloud infrastructure. The best security available for cloud encryption comes from using Bring Your Own KMS (BYOKMS), also called External Key Management (EKM).
Store Encryption Keys using Hardware-Based Security - Software solutions storing encryption keys can be compromised or inadvertently exposed at multiple levels of the infrastructure. The best practice is to use either a FIPS 140-2 Level 3 validate hardware security module (HSM) or confidential computing technology with a hardware-based trusted execution environment to store keys and protection crypto processing.
Centralize Key Management Policies and Audit Across Multiple Clouds – With 80+% of organization pursuing a multicloud strategy, more and more organizations are implementing data security centrally rather than using each CSPs cloud-native services. The majority of enterprises use more than one public cloud and multiple SaaS offerings. Maintain different policies, audit systems, and security controls for each cloud increases risk and cost. It is a best practice to centralize key management for all public cloud and SaaS encryption.
What are the Pros and Cons of Cloud-Native CDE vs. Multicloud CDE from a Third Party?
Pros: Primary advantage of using a Multicloud CDE from a third party is the fact that the key material ownership always rests with the customer. Access to keys is completely with the customer. The customer also gets the ability to recover the keys in case the key is deleted from the cloud, ability to use the same key outside the cloud, ability to inject the same key materials to different cloud accounts and the customer is also able to use same key on-premises as well as in other clouds. It’s also possible to centrally manage the policies for cloud keys, enforce policy-based approvals and export the keys.
Cons: On the other hand, with Cloud-Native KMS you get the ability to provision optimal capacity as there are no upfront costs with ability to start and stop when needed. Proximity to cloud workloads also leads to improved application performance
How to integrate Cloud Data Encryption with applications seamlessly
Design for Multicloud Data Security – Most businesses have a multicloud strategy in which applications can be spread across multiple cloud or could shift from one cloud service provider to another. In-house application should be designed to avoid being locked into cloud-native services for data security to enable cloud portability and mobility of applications.
Rest APIs for DevOps an DevSecOps – as developers are applying a DevSecOps approach, enterprises should be providing easy to use data security REST APIs and educating developers on how to incorporate them into in-house applications development. Providing standardized secrets management, tokenization, key management, and HSM services through REST APIs will reduce risk and make in-house development more efficient.
Confidential Computing – New in-house application development that involves sensitive data should make use of Confidential Computing technology, in which applications are run in hardware-based trusted execution environments that protect data while it is in use by the application. This will avoid CSP system administrators or malicious actors with access to compromised hosts from seeing decrypted sensitive data in the memory of the host operating system (i.e. memory scraping).
With increasing cyberattacks, the battle to defend company information and assets in the cloud is never ending. Seamless CDE is the strongest security measure against cyberattacks. Policy controls, authentication and a robust key management need to be considered as part of a seamless CDE strategy.
This is easier said than done. What is needed is a solution that’s scalable, simple to use, offers a unified experience across different cloud environments and provides virtually impenetrable security to your data, keys and secrets.
Fortanix manages data security for multiple public clouds and hybrid environments through a single platform that can scale and cluster between global sites.