goalkeeper blocks soccer ball

Cloud Data Isn’t Lazy Data

Cloud Data Protection

Written by David Berman

goalkeeper blocks soccer ball

Why your cloud security strategy shouldn’t rely solely on data-at-rest encryption

In our last blog post, we revealed that cloud provider “Bring Your Own Keys” (BYOK) options merely let customers keep a copy of their keys, not own the whole set of keys. In this post, we’ll look at the SaaS application environment in detail to understand why data-at-rest encryption cannot address the enterprise’s most fundamental cloud data security concerns.

Active Data

The data on which a business runs come in many different forms:

  • Structured data consisting of fields and notes on web forms and in reports
  • Unstructured data in files and attachments

But, data also exists in different ‘states’:

  • Data stored on media
  • Data transported across communication lines
  • Live data within applications for processing, analytics, sharing, and use in IT tasks (e.g., Extract Transform and Load operations).

Typically, enterprises have focused on controlling internal access to structured and unstructured data while managing perimeter defenses to mitigate unauthorized external access. With the move to cloud-based applications critical to business functions like CRM, ITSM, and file sharing, enterprises need to expand their focus to pinpoint the state of data and identify the layers of cloud applications where data are most vulnerable.

Active Threats

Today’s attackers have easy access to the ‘front door’ of any public SaaS application, so they’re not concerned in the least about the protections cloud providers set up to protect data stored on media or even data resident in cloud infrastructure, such as databases. Attackers know very well that the ease of access and information delivery to legitimate cloud users creates an ideal path for unauthorized access to sensitive data. The Cloud Security Alliance and other organizations have highlighted such threats for several years:

  • Credential theft:
    Attackers can take advantage of weak password policies, lack of multi-factor authentication, phishing, and other exploits to get direct access to cloud accounts.
  • Insecure interfaces and APIs:
    Organizations often share access to these APIs with third parties, thereby increasing the risk of inadvertent data loss. Attackers also know these interfaces lack policy controls and adequate authentication, giving them a path to cloud data.
  • Account hijacking:
    Once a cloud account has been compromised, attackers can use their access to steal or manipulate data and even to initiate access to other clouds.
  • Privilege abuse:
    Administrative access to cloud data can lead to unintentional or malicious data loss.
  • Government seizure:
    Governments demand data from cloud providers while executing gag orders that prevent providers from disclosing these seizures to their customers.

These threats target data in the application and runtime layers of a SaaS applications, where data is in the clear. To protect sensitive and regulated data in the cloud, organizations need a more robust approach than merely encrypting data-at-rest at the storage level or within databases.

 table of active data/threats/encryption

Active data facing active threats needs Active Encryption™.

Active Encryption

What enterprises need is protection of cloud data from current active threats that doesn’t disrupt operations and the processing of active cloud data. An Active Encryption™ solution to cloud data protection meets the following use cases:

  • Persistent, end-to-end protection of cloud data to ensure sensitive data is never in the clear
    Protection methods like encryption and tokenization that preserve user interactions with cloud data, including searching, sorting, filtering, reporting, and charting
  • The ability to use protected data in automated workflows and triggers so that business process is uninterrupted
  • Securing of data accessed for bulk IT operations and third-party integrations by protecting cloud data via APIs, inbound and outbound
  • Protection of data across multiple cloud providers, not just in the storage layer of a single cloud
  • Zero-knowledge protection, ensuring that encryption keys are never shared with the cloud provider; the SaaS application only sees encrypted or tokenized data, without on-demand decryption of data by the provider

CipherCloud has solved these use cases and more for hundreds of enterprises in financial services, healthcare, insurance, and many other industries.

See for yourself. Download our Comparison Guide for a detailed comparison of CipherCloud’s Active Encryption vs. cloud service providers’ data-at-rest-only approaches.