Where Should You Encrypt Data?

Cloud

Written by Lara White

In this video, our Security Expert Willy Leichter looks at cloud security encryption vs. gateway protection.

Transcript below:

We all know there is a huge increase in the use of cloud applications and there’s also increased concerns about privacy and security of data. And as organizations are putting more and more information into the cloud, they have both legal requirements and concerns about security, privacy and how to protect that data. Now encryption has become a hot topic lately. Many cloud providers and other organizations are talking about encryption but there are also many different places and ways you can use encryptions. We’d like to explain a little bit of some of the differences between say encrypting your data and transit, encrypting it at rest, or encrypting it in use. And where is the best way to do that and who should really provide that type of encryption.

So before we talk about the best place to encrypt your data, I think it’s first important to look at what are the reasons that enterprises want to protect this data in the first place. What are they trying to accomplish by either encryption and tokenization? So, first of all, one of the most important is if it’s sensitive, regulated information. They want to make sure that they have exclusive access and control over this information, no one else. They also want to be able to protect this data against some of the common threats today at account hijacking, breaches, data loss, third party utilities that might access this information. They may have regulatory requirements. Many of our customers were subject to HIPAA or GLBA or privacy laws all around the world or a specific industry regulations. And they want to eliminate exposure to any potential insiders within a cloud provider and they also want to make sure that the cloud providers are taken out of the loop of any decisions about disclosing information. If there’s a legal subpoena for example, enterprises need to and must manage that themselves and not have cloud providers making decisions about what should be disclosed. And, finally, they want to retain persistent control over this data through the whole life cycle, from when it leaves their organization in the cloud until they get the information back. They want to maintain control.

So let’s talk for a minute about where you might want to encrypt your data. Encryption has been around for hundreds of years and frankly there’s some confusion about where is the appropriate place to encrypt data and what gives you the best protection. So the first and most familiar type of encryption is SSL, protecting the data in transit, creating a secure tunnel from your browser to the web application. This is best practiced, everyone should be doing it but it only protects a limited certain number of threats. People actually trying to break into that tunnel and steal your data while it’s in the clear. Now in the other side, many cloud providers are offering to encrypt the data when it’s at rest. So on their servers, stored in their data centers, they will encrypt the data. So if someone breaks in, steals a hard drive, it will be protected. Again this is a good idea, best practiced, but both of these miss what we like to call the issues of data in use. And this is where frankly most of today’s threats that people are worried about to occur. In fact the cloud security alliance points out that many of the current threats that people are worried about include account hijacking, forced disclosures, data breaches, malicious insiders, insecure APIs. None of these are addressed by protecting the tunnel or by just protecting the servers. So this requires an additional layer of security encryption or tokenization that is controlled by an organization to really keep everyone in the middle, away from your data.

I mentioned account hijacking, let me give you a recent example. The recent Dyre Malware has been found to be both attacking banking sites which is to be expected. Those are often common targets. As well as attacking cloud applications themselves such as Salesforce or Office or things like that. Now the challenge here is that these were not exploiting flaws within the cloud applications, instead they’re going into using fishing attacks, Trojans to steal your username and password. And if you’ve stolen the username and password you walk right in the front door and you have access to all of this data. So this is just one example of where you really need additional layers of security to be certain that no one else can access that data even if they’ve stolen your credentials.

Let me show you a quick diagram just to illustrate what we’ve been talking about here. So on top we have a diagram of both using SSL encryption to protect the tunnel as well as the cloud provider encrypting data at rest. So you can see the server where data is encrypted, the keys used for that encryption are actually maintained by the cloud provider. Now the challenge here is we protected the data on both ends but in the middle there is still lots of people, processes, external people that may have access to that data. So this is really the challenge we’re trying to solve. So though we’re encrypting data on both ends, we’re still missing most of our vulnerabilities. Now let me show you the, by comparison, what Cipher Cloud is able to do when we encrypt, when we use our gateway to protect your data. So here you can see we are applying encryption or tokenization at the edge of your organization. You keep the keys, everything downstream is protected. And this keeps all of these other threats, all of these potential insiders from accessing your data. It protects in across the board, in transit, in use, and at rest. And very importantly, if someone wants to access that data, they have to come to you. There can’t be any forced disclosure, any hacking, any account hijacking, any of those things are useless because they won’t have access to the keys.

The last point I made about keys is really central to the value we add and how we recommend the people protect their data. So whenever anyone talks about encryption, the first question you should ask is, who has the keys? Where are they maintained? Who can possibly access those keys? I like the analogy if you lock your front door of your house and leave the keys on the lock, you’re kind of defeating the purpose of having a lock. So for real security you need to keep the keys, not share your keys and you make all the decisions about who you let in the door and not. And in fact this is echoed by many of the analysts in the industry. You can see Gartner recommends that you should always separate the key management, the holders of the keys should be separated from the cloud provider. CSA also recommends that you segregate this duty so that you have a separation of security between yourself and the cloud provider. And, in fact, the PCI guidelines also recommend and specify if you’re using encryption, the key management is critical to that and you have to separate that responsibility in order for the encryption to be effective.

Thanks for your time. If you have any questions please go to our website, www.ciphercloud.com.