Three Critical Expectations for Data Encryption in the Cloud

Best Practices, Technology 0 Comments

Written by Michael Higashi



By now, we’re all aware that data encryption in the cloud is key to securing your enterprise’s sensitive and confidential data and remaining in compliance with data privacy and residency regulations worldwide. Encryption isn’t a binary, yes-or-no, cut-and-dried matter, however. Once you’ve committed to encrypting your data, you must then figure out how, to what extent, and which data you must encrypt. Keep these three expectations in mind as you develop your cloud encryption strategy.

3 Critical Expectations for Encryption in the Cloud

  1. A variety of options for encryption and its application
    Not all your data will require encryption in the cloud, nor should it. That would be a vast, expensive, and ultimately counterproductive undertaking. Nor should all your data be encrypted in the same way. What works for names may not work as well for social security numbers; for functionality’s sake, credit card numbers may need their formats preserved in ways that address information does not. Your cloud encryption solution should provide a variety of options for encryption. These options might include:

    • Index tokens and pads, which replace data with cryptographic tokens or encrypt and decrypt them using single-use, randomly generated private keys;
    • And strong cryptography, which the PCI defines as encryption based on “industry-tested and accepted algorithms,” for example AES, used in conjunction with strong key lengths and proper key-management practices.
  2. Data storage life cycle management
    Encryption in the cloud can only be considered truly secure and effective if it persists throughout the life cycle of the data being stored in the cloud. But when it comes to data stored by a third-party cloud service provider (CSP), how can you truly know the life cycle of your data? Uncertainties surrounding archive, backup, and the timely deletion of data, either on your schedule or upon your request, make determining the life cycle of cloud-stored information a difficult affair.To get around this issue, you need to make sure that no matter how long your data lives in the cloud, your organization is the only one that holds the keys to it, and therefore the only one that can access it. That way, when you’ve decided that the time has come to destroy your data, all you need to destroy is your key. Deleting that key will “digitally shred” your data, as Computer Weekly points out, rendering it useless to prying eyes no matter how long it exists in the cloud.
  3. Data access control
    As researchers discuss in the International Journal of Engineering and Advanced Technology, storing data in the cloud results in security risks, since “the cloud data can be accessed by everyone,” and “a prevention measure is needed to secure the data from unauthenticated users or intruders.” Encryption in the cloud alone may not fully mitigate these risks, either, since any CSP insider with the encryption key can access the data.

Summarizing it All Up

But insider threats aren’t only limited to CSP employees. They can come from within your own organization, too, as Edward Snowden aptly demonstrated earlier this year. Fully securing your data involves more than just encryption in the cloud and more than just keeping your encryption keys out of the hands of CSPs. You must also ensure that whoever has the encryption keys in your own organization is justified in their access. For that reason, a strict and granular data access control policy is a must.

As you look for ways to implement effective encryption in the cloud to secure your data and ensure regulatory compliance, make sure your cloud information protection program includes these critical attributes. Without them, your data’s about as safe as a fortune stored in a vault to which too many people have the keys. That is to say, not safe at all.

What do you look for in a cloud data protection solution? Let us know in the comments.

Next Steps:

Leave a Reply

Your email address will not be published. Required fields are marked *