Menu
Business.com aims to help business owners make informed decisions to support and grow their companies. We research and recommend products and services suitable for various business types, investing thousands of hours each year in this process.
As a business, we need to generate revenue to sustain our content. We have financial relationships with some companies we cover, earning commissions when readers purchase from our partners or share information about their needs. These relationships do not dictate our advice and recommendations. Our editorial team independently evaluates and recommends products and services based on their research and expertise. Learn more about our process and partners here.
The cloud offers state-of-the-art encryption for vital business data, but there are security concerns to keep in mind.
In a time of evolution and change in business regulations and information security, business leaders often face privacy and security challenges they lack the knowledge and experience to address. While many are familiar with baseline encryption tools, cloud encryption can be daunting — and with so many different types of encryption available, small to midsize businesses (SMBs) may find their options overwhelming.
To help make this critical technology more accessible, here’s what SMB owners need to know about cloud encryption.
>> Read next: 8 Ways Cloud Computer Can Increase Productivity and Profits
SMBs now have access to the same computing power and storage space as multinational corporations for mere dollars a month, thanks to the cloud. You no longer need to spend a small fortune on computer equipment, software and information technology (IT) teams to maintain it all. But is your data safe? How can you make it safer? This is where encryption comes in.
Cloud encryption transforms plaintext data into data that is completely indecipherable (called ciphertext). This means if a cybercriminal manages to hack into your email or web traffic, what they’re left with is useless to them. They have the data, but not the key that would turn the gibberish back into usable information.
Editor’s note: Need a cloud storage solution for your business? Fill out the below questionnaire to have our vendor partners contact you with free information.
Encryption is hardly a new technology but, historically, encrypted data was stored on servers that resided on premises over which the company had direct control. Now that many of today’s popular business applications are hosted in the cloud, business owners either need to depend on contract language to protect their assets, selecting a cloud provider that will allow the customer to encrypt the data before it is sent to the cloud for storage or processing or partner with a software-as-a-service (SaaS) provider that will manage the encryption and decryption of the corporate data.
Data exists in three different states: in transit, in use and at rest:
Not all corporate data requires encryption and not all users have the same need to access data, said Vic Winkler, a cybersecurity and information security consultant. It is essential for businesses to create rules to identify what information needs encryption and what data can be stored safely in plain text. Winkler said segregating data using SaaS applications that encrypt the data within the applications automatically can go a long way to ensuring important data is protected. The data must also be protected so that it does not impact the company’s business processes negatively.
Data that does require encryption can be in any of the three states, but protecting data at rest is particularly essential, Winkler said. The best choice is to encrypt sensitive data when it is created so that when it is stored in a data center, whether locally or in the cloud, it will be protected.
Cloud encryption relies on keys that scramble data to prevent bad actors from accessing it. Only those with access to the keys can decode the information. There are two types of encryption keys: symmetric encryption, where the same key is used to encrypt and decrypt data and asymmetric encryption, where there is a public key that everyone can see that encrypts the data and a private key that you hold that decrypts data.
Symmetric encryption is faster, whereas asymmetric encryption is more secure. If an organization loses or destroys its access key, its data may be unrecoverable, which is a big problem to consider when using this security method. The Cloud Security Alliance advises that sensitive data be encrypted for data privacy with approved algorithms and long, random keys; encrypted before it passes from the enterprise to the cloud; and remain encrypted in transit, at rest and in use.
Also, the data should remain encrypted up to the moment of use. Both the decryption keys and the decrypted versions of the data should be available in the clear only within a protected transient memory space.
Cloud encryption has many potential benefits for your organization, including:
Cloud encryption also brings challenges. Here are a few you should be aware of:
Given that cloud encryption is one of the most important security measures a business can take, here are some things to keep in mind.
Although every reputable cloud service provider (CSP) offers basic security, including encryption, cloud users should implement additional measures to ensure data security. Treat your relationship with your CSP as a partnership where they monitor and respond to infrastructure security, and you take additional steps to protect data and assets you store in and transmit to the cloud.
Adding additional layers of encryption to your CSP’s encryption is a start. Other valuable undertakings include the following:
Separating the encryption key from the encrypted data is essential in keeping data secure.
“One area we caution our healthcare clients to watch out for is the storage and use of encryption keys. They often store the keys in the same location as the data itself,” said Cortney Thompson, chief information officer of data center and managed services provider Lunavi. If your data is compromised, your key would be too, which is why it’s more secure to keep them separate.
Additionally, businesses should keep a backup of all keys in an offsite location in case of disaster and audit that backup every couple of months.
“Encryption keys also need to be refreshed regularly. This is often forced on companies as the key itself is set to expire automatically, but other keys need a refresh schedule,” said Thompson. “Consider encrypting the keys themselves, though this leads to a vicious circle of encryption on top of encryption. Finally, give master and recovery keys multifactor authentication.”
Manny Landrón, CISO of Enact Mortgage Insurance, argued that cloud service providers or third-party proxy providers should manage a company’s encryption keys rather than the business’s in-house IT department. If data is encrypted before being uploaded to a cloud storage provider and that data is then needed on a mobile or remote device that does not already have the decryption key, the resulting download will be useless encrypted data. This becomes exacerbated when a company tries to share data with a business partner but does not want the partner to have direct access to decryption keys.
Key rotation and destruction also become more complex when a company is managing its own keys for what can entail millions of files. A third-party proxy provider can add a layer of protection by keeping the keys separate from the encrypted data at a cloud provider. This may not be ideal for all businesses, however, because it adds another layer of complexity as well as the additional cost of a second third-party provider for the company.
Even though you should partner with a cloud service provider to encrypt your data and manage your keys, keep in mind that a CSP isn’t going to be as vested in protecting your company’s data as the business owner. If an organization suffers a well-publicized data breach, clients and the press will focus their ire on the company itself and not the CSP.
Cloud providers are not subject to the same data breach disclosure laws as banks, federal agencies and other entities, said Jeff Cherrington, product management vice president of Z Systems at Rocket Software. Plus, the business that owns the data is held responsible, even when the cause of the data breach lies with the cloud hosting organization. Ultimately, it is the obligation of the enterprise to protect its data, wherever and however it’s processed. That’s why it’s critical to implement security redundancies and have skilled IT security team members on staff. Even with your CSP partnership, in-house employees should play a serious role in managing and monitoring encryption data.
The Cloud Security Alliance also suggests the cloud services provider and its staff should never have access to your decryption keys.
“This … stipulation can be the most challenging for SMBs, depending on their use of cloud,” said Cherrington. “For simple file sharing, there are some good add-ons for Dropbox and similar offerings … When an SMB moves processing to the cloud, things become a bit more complex.”
With a plethora of recent cyberattacks on large data centers and commercial sites, be it retail, healthcare, government, commercial or industrial, data security should be a top priority for your company. If you’re ready to invest in cloud services for your business, take a look at the top cloud storage services.
These include IDrive, which can back up an unlimited number of PC, Mac, Android and iOS devices in real time for one flat fee; Egnyte, which offers cloud, on-premises and hybrid options to businesses and counts Nasdaq as one of its clients; and Backblaze, which provides storage and backup plans for PC and Mac users on monthly, annual or biennial terms. Also, check out our comparison of Microsoft Azure and Amazon Web Services for two more cloud options.
Whichever service you partner with, make sure your team has clear protocols to follow when accessing the cloud. Also, investigate which software you already use that contains encryption capabilities. For example, our review of Xero’s accounting software notes that it uses bank-grade encryption and that businesses can enable multi-factor authorization. Make sure your company is taking advantage of these security tools. Additionally, carry out a cybersecurity risk assessment every few months and employ highly rated internet security and antivirus software.
Sean Peek contributed to this article. Source interviews were conducted for a previous version of this article.