As business regulations and information security expand at an asymmetrical pace, corporate executives end up facing privacy and security challenges they do not have the knowledge or experience to address. While baseline encryption technology is the cornerstone of security, encryption in the cloud can be daunting. With so many different types of encryption available, small to midsize businesses (SMBs) find this approach inviting yet very confusing. We’re breaking down what business owners need to know about cloud encryption.
Cloud encryption explained
SMBs now have access to the same computing power and storage space as multinational corporations for mere dollars a month, thanks to the cloud. You no longer need to spend a small fortune on computer equipment, software and IT teams to maintain it all. But is your data safe? And how can you make it safer? This is where encryption comes in.
Cloud encryption transforms plaintext data into data that is completely indecipherable (called ciphertext). This means if a cybercriminal manages to hack into your email or web traffic, what they’re left with is useless to them. They have the data, but not the key that would turn the gibberish back into usable information.
Encryption is hardly a new technology, but historically, encrypted data was stored on servers that resided on premises over which the company had direct control. Now that many of today’s popular business applications are hosted in the cloud, business owners either need to depend on contract language to protect their assets, selecting a cloud provider that will allow the customer to encrypt the data before it is sent to the cloud for storage or processing, or partner with a software-as-a-service (SaaS) provider that will manage the encryption and decryption of the corporate data.
Editor’s note: Need a cloud storage solution for your business? Fill out the below questionnaire to have our vendor partners contact you with free information.
Gartner predicted cloud services end-user spending would reach $397 billion in 2022, with SaaS applications accounting for the largest share of the market.
Data protection explained
Data exists in three different states: in transit, in use and at rest.
- Data in transit: This is data traveling from one place to another – for example, from a hard drive to a cloud server or an attachment sent by email or to a Slack channel.
- Data in use: This is data that is currently being read, accessed, erased, processed, changed or updated on a computer system.
- Data at rest: This is data stored in the cloud or on a logical or physical medium. Examples include documents stored on hard drives or flash drives, records in databases, and files on servers that are not being accessed.
Not all corporate data requires encryption and not all users have the same need to access data, said Vic Winkler, a cybersecurity and information security consultant. It is essential for businesses to create rules to identify what information needs encryption and what data can be stored safely in plain text. Winkler said segregating data using SaaS applications that automatically encrypt the data within the applications can go a long way to ensuring important data is protected. The data must also be protected so that it does not impact the company’s business processes negatively.
Data that does require encryption can be in any of the three states, but protecting data at rest is particularly essential, Winkler said. The best choice is to encrypt sensitive data when it is created so that when it is stored in a data center, whether locally or in the cloud, it will be protected.
It would take two seconds for a brute-force password attack to crack a password containing 12 numbers, according to research from Hive Systems. If a 12-character password contained numbers, upper- and lowercase letters, and symbols, it would take 3,000 years to crack.
Using cloud encryption keys
Cloud encryption relies on keys that scramble data to prevent bad actors from accessing it. Only those with access to the keys are able to decode the information. There are two types of encryption keys: symmetric encryption, where the same key is used to encrypt and decrypt data, and asymmetric encryption, where there is a public key that everyone can see that encrypts the data and a private key that you hold that decrypts data.
Symmetric encryption is faster, whereas asymmetric encryption is more secure. If an organization loses or destroys its access key, its data may be unrecoverable, which is a big problem to consider when using this security method. The Cloud Security Alliance advised sensitive data be encrypted for data privacy with approved algorithms and long, random keys; encrypted before it passes from the enterprise to the cloud; and remain encrypted in transit, at rest and in use.
Also, the data should remain encrypted up to the moment of use. Both the decryption keys and the decrypted versions of the data should be available in the clear only within a protected transient memory space.
If you’re in charge of setting the password for an asymmetric key, make sure it’s as complicated as possible. User-chosen key passwords can be cracked by cybercriminals in the same way traditional usernames and passwords to log onto computer IT networks can be guessed.
Cloud encryption recommendations
Given that cloud encryption is one of the most important security measures a business can take, here are some things to keep in mind.
1. Treat data security as a joint venture between your company and your cloud provider.
Although every reputable cloud service provider (CSP) offers basic security, including encryption, cloud users should implement additional measures to ensure data security. Treat your relationship with your CSP as a partnership where they monitor and respond to infrastructure security and you take additional steps to protect data and assets you store in and transmit to the cloud.
Adding additional layers of encryption to your CSP’s encryption is a start. Other valuable undertakings include the following.
- Multifactor authentication: This is when you need to use two or more pieces of identification to log in, similar to how some online banks now text or email a code to verify your identity on the other end.
- Microsegmentation: Restricting access to data depending on permission level and use minimizes damage and theft in the event of a breach. For example, it makes sense to give a low-level employee access to only the data and apps they need to do their job. If someone broke in using that staffer’s logins, the havoc a hacker could wreak is relatively limited.
- Network monitoring: Use web traffic monitoring apps to detect suspicious usage like unauthorized port access and unusual user access patterns.
2. Manage your encryption keys separately from your data.
Separating the encryption key from the encrypted data is essential in keeping data secure.
“One area we caution our healthcare clients to watch out for is the storage and use of encryption keys. They often store the keys in the same location as the data itself,” said Cortney Thompson, CIO of data center and managed services provider Lunavi. If your data is compromised, your key would be too, which is why it’s more secure to keep them separate.
Additionally, businesses should keep a backup of all keys in an offsite location in case of disaster and audit that backup every couple of months. “Encryption keys also need to be refreshed regularly. This is often forced on companies as the key itself is set to expire automatically, but other keys need a refresh schedule,” said Thompson. “Consider encrypting the keys themselves, though this leads to a vicious circle of encryption on top of encryption. Finally, give master and recovery keys multi-factor authentication.”
Manny Landrón, principal consultant of information security at Aligned Technology Group, argued that cloud service providers or third-party proxy providers should manage a company’s encryption keys rather than the business’s in-house IT department. If data is encrypted before being uploaded to a cloud storage provider and that data is then needed on a mobile or remote device that does not already have the decryption key, the resulting download will be useless encrypted data. This becomes exacerbated when a company tries to share data with a business partner, but does not want the partner to have direct access to decryption keys.
Key rotation and destruction also become more complex when a company is managing its own keys for what can entail millions of files. A third-party proxy provider can add a layer of protection by keeping the keys separate from the encrypted data at a cloud provider. This may not be ideal for all businesses, however, because it adds another layer of complexity as well as the additional cost of a second third-party provider for the company.
3. Don’t become entirely reliant on cloud providers.
Even though you should partner with a cloud service provider to encrypt your data and manage your keys, keep in mind that a CSP isn’t going to be as vested in protecting your company’s data as the business owner. If an organization suffers a well-publicized data breach, clients and the press will focus their ire on the company itself and not the CSP.
Cloud providers are not subject to the same data breach disclosure laws as banks, federal agencies and other entities, said Jeff Cherrington, product management VP of Z Systems at Rocket Software. Plus, the business that owns the data is held responsible, even when the cause of the data breach lies with the cloud hosting organization. It is ultimately the obligation of the enterprise to protect its data, wherever and however it’s processed. That’s why it’s critical to implement security redundancies and have skilled IT security team members on staff. Even with your CSP partnership, in-house employees should play a serious role in managing and monitoring encryption data.
The aforementioned Cloud Security Alliance also suggests the cloud services provider and its staff should never have access to your decryption keys. “This … stipulation can be the most challenging for SMBs, depending on their use of cloud,” said Cherrington. “For simple file sharing, there are some good add-ons for Dropbox and similar offerings … When an SMB moves processing to the cloud, things become a bit more complex.” [Read related article: How to Stop Spending More Than You Need to on Cloud Applications]
The best cloud services on the market
With a plethora of recent cyberattacks on large data centers and commercial sites, be it retail, healthcare, government, commercial or industrial, data security should be a top priority for your company. If you’re ready to invest in cloud services for your business, take a look at the best cloud storage and online backup services.
These include IDrive, which can back up an unlimited number of PC, Mac, Android and iOS devices in real time for one flat fee; Egnyte, which offers cloud, on-premises and hybrid options to businesses and counts Nasdaq as one of its clients; and Backblaze, which provides storage and backup plans for PC and Mac users on monthly, annual or biennial terms. Also check out our comparison of Microsoft Azure and Amazon Web Services for two more cloud options.
Whichever service you partner with, make sure your team has clear protocols to follow when accessing the cloud. Also, investigate which software you already use that contains encryption capabilities. For example, our review of Xero’s accounting software notes that it uses bank-grade encryption and that businesses can enable multi-factor authorization. Make sure your company is taking advantage of these security tools. Additionally, carry out a cybersecurity risk assessment every few months, and employ highly rated internet security and antivirus software.