To eliminate risks associated with limited or defective cloud provider security, businesses are being forced to consider different security constructs, in particular embedding security into the object (data) itself. This approach renders security portable and helps reduce or even eliminate concerns about the integrity of the infrastructure where the data is being housed. It also provides more flexibility by allowing companies and their employees to use the cloud storage service that best suits their needs.
The most fundamental element of this approach is to encrypt the content. Without encryption itís next to impossible to protect the data from various snooping techniques. However, in order to be effective, the encryption system must satisfy four core requirements.
1. Encryption must be applied to the content, not to the container. Examples of container-based encryption are disk-based (that is, encrypt anything written to a disk drive), or IPsec VPNs (encrypt anything pushed into a virtual tunnel). Applying encryption to the content involves applying cryptography directly on a file or other data object at the source.
2. Encryption must be end-to-end, meaning it must be applied as the content is created and prepared for transmission to the cloud. If any of these elements are missing, security gaps and vulnerabilities will exist.
3. Encryption must be properly implemented. Even with the recent NSA revelations, there is no evidence that core encryption technologies are vulnerable. What is clear however is that if encryption is not properly configured, or if weaker options are used, data privacy cannot be guaranteed.
4. Key management must be both secure and operationally viable. It is a well-known fact that key management is the most difficult aspect of implementing encryption. Carefully research the operational workings of the technology chosen, and ask to speak privately to other companies who have used the candidate products.
Beyond encryption, content-based security can include a variety of other controls. Documents can be given an ďend of lifeĒ, or timeframe beyond which the content canít be opened. Modification and access to the file can be logged and reported back to the owner. Also, encryption key adjudication can be used to unlock content under emergency conditions, without the consent of the document owner. This can be critical during a security investigation, or if someone leaves the organization.
The onslaught of cloud and BYOD is forcing organizations to rethink and retool data security systems to regain control. By attaching security to the content, itís possible to secure and audit data in the cloud regardless of the cloud-based storage and collaboration service being used.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.