Cloud
9/27/2017
06:10 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Companies Push to Decode Cloud Encryption

Businesses buckle down on encryption as it becomes table stakes for securing data in the cloud.

Encryption has become less of a nice-to-have and more of a must-have as companies determine how to best protect their cloud-based data. Cloud providers are taking note and integrating encryption to stay competitive among security-savvy customers.

In the past, businesses have put off encryption because it took up a lot of time and resources, explains Marty Puranik, CEO at Atlantic.net. Now, as breaches regularly make headlines, more are buckling down on data security and providers are adjusting their services to help. In industries like healthcare, leaving data unencrypted isn't an option.

"There are lots of compromises in the news and companies don't want to have that happen," he explains. "A lot of best practices are actually becoming requirements as the industry matures and standards form."

How providers are simplifying encryption

Cloud providers large and small are buckling down on security to win customers' trust, Lane says. "They need to make sure they're secure because nobody trusts cloud vendors at first," he explains. "A way to differentiate their service is to be more secure than on-prem."

Microsoft recently updated its service with Azure confidential computing. This will encrypt data in use in the public cloud, which has so far lacked this level of security. People can maintain control over their data while it's processed in the cloud, protecting it from threats like malicious insiders with administrative privilege, or third parties accessing it without their consent.

It makes sense in the broader context of Microsoft's approach to security, which Prendergast describes as "hardened by default." If users want to make information accessible to others, they have to open it themselves. The idea is to give people a more secure cloud environment by default so they don't have to figure it out themselves.

Amazon is different, he continues. The company provides encryption and management tools, but the customer has to be able to properly implement and run them. It's easy for someone to start playing with a project that spreads into production, bringing data into an unsecure place -- an issue he says contributed to the AWS data leaks in recent news.

The encryption trend isn't only popular among tech giants. Cloud companies like Atlantic.Net and Fortanix have also begun to jump on the encryption trend. The former recently began encrypting all user data by default; the latter encrypts data while applications are using it.

Encryption challenges and mistakes

Several factors have hampered the growth of encryption, says Adrian Lane, CTO and analyst at Securosis. For starters, it's expensive. Security teams struggle to justify technologies that aren't directly tied to revenue and provide more benefit in the short term than the long term.

"Over the years, cost justification was the biggest impediment," he explains. "Businesses didn't see a big enough risk to procure and pay for encryption."

Some held back because they feared they would lose their encryption key and as a result, lose all of their data. Complexity proved another obstacle; businesses could easily encrypt their databases but didn't know how to leverage decryption for file access.

"There is overhead, and it is more work," says Puranik. "If [encryption] wasn't something required in the past, people didn't do it. Now it has become more common."

This isn't to say security teams don't make mistakes when they encrypt their data. One major error Lane frequently sees is the use of application encryption, especially with older legacy applications.

"If you want to be the most secure, you implement [encryption] within an application so the app itself manages its own keys, can determine which users and which circumstances can see decrypted data, and decrypt the data itself," Lane says. "It's the most secure use case itself, but implementing that into the application is really hard."

Some businesses neglect to encrypt data at rest, which Evident.io CEO Tim Prendergast describes as a severe oversight.

"There's no excuse not to encrypt data at rest," he notes. "It doesn't make any sense unless you just don't care about the data … and some people don't." This mistake has led to data compromise at major companies including Viacom and Fedex.

The issue of bring your own key (BYOK) is also critical, Lane adds. Many companies use multiple clouds and as more turn to different cloud providers, it will be important to use a consistent multicloud key management approach so they can use their keys for various providers.

If you don't trust the vendor or think a malicious actor could access keys, you might want to do BYOK, he says. In some cases, you may not even want to leverage native cloud key services at all.

The case for encrypting everything

When businesses decide which data gets encrypted, they prioritize sensitive data like personal financial records and health information. While this arguably makes sense, what's considered "important" data varies from person to person.

What doesn't get encrypted? Puranik points to metadata; for example, customer logs containing information on the websites they visit and options they prefer. This data is often kept on the back burner, unencrypted, and many businesses don't realize its value to attackers.

He points to social media, which is a treasure trove of data that may seem harmless in small chunks but when pieced together, can paint an accurate picture of someone's life. While he abstains from Facebook and LinkedIn, Puranik explains how both networks can generate data on him based on account holders who ask him to join.

"Is that data relevant? Well It's not a Social Security Number or driver's license, but in a way, it's a digital fingerprint," he says. An attacker could use this data to, for example, launch a targeted phishing attack by sending a fraudulent email and claim to know one of his contacts.

Consumers and end users want everyone to encrypt everything, explains Prendergast. While the operational cost used to make companies say "we'll do that later," now, they have no excuse.

"It's table stakes," he says.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
Hyatt Hit With Another Credit Card Breach
Dark Reading Staff 10/13/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.