Paranoid? Encrypt Your Data in the Cloud

More and more web applications are moving to the cloud or on to host computers that application owners do not control. While this move reduces the need for server space, there are security questions that arise. Companies need to consider how to protect user data from hacking or data loss, when the decision is made to shift tocloud-based hosting.

In the late 1990s, when the creation of online software was taking off, we wanted to encrypt information that was stored within our system, and of course, we needed the key to do that encryption. Where did we put that key? We just put it online within the same system that had access, so that our own software could encrypt and decrypt people’s passwords and other important, critical data.

This system had a major downfall.

If someone hacked into the system, they could find this key, and they would have access to everything. You must have a more sophisticated approach for storing or managing keys.

This problem hasn’t disappeared. Last year Amazon’s Simple Storage Service was found to be susceptible to an http attack that could expose users’ data storage accounts. In a traditional setting (before the cloud), systems and data sets would be kept physically separate from each other. This way, if one was accessed, the others wouldn’t be. On the cloud, multiple data sets from varying organizations – each with different policies regarding sensitive data storage – can be present in a single location. Maintaining control over information in this environment can be problematic.

Encryption is one part of data loss prevention (DLP) software, designed to offer more security options for data. DLP goes beyond simple encryption. There are four types of DLP: standard security measures, advanced security measures, access control and encryption and designated DLP solutions. Standard measures include firewalls, intrusion detection systems (IDS’s) and antivirus software, while advanced measures employ techniques such as machine learning and temporal reasoning algorithms to detect abnormal access. Access control encryption includes the key encryption discussed previously. Designated solutions include the detection and prevention of unauthorized attempts to copy or send sensitive data. In order to do tasks prohibited by designated solutions, the user must perform other authorization measures, such as data fingerprinting or exact data matching.

Encryption techniques have stepped up. Volume-based encryption, application-specific encryption and file encryption have adapted to work better in the cloud. These are not without some impracticalities and hiccups. Application developers need to consider what features their program has to encrypt information and how else they might be able to protect user information. It is evident that key encryption is vulnerable to outsider access.

Employing a variety of different data loss prevention techniques is necessary, moving forward. As cloud hosting grows, these options, as well as others yet to be developed, will need to be ironed out.