Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly
E-Mail vvv

Solving the Cloud Data Security Conundrum

Trusting the cloud involves a change in mindset. You must be ready to use runtime encryption in the cloud.

As we have seen in several major cybersecurity breaches, attackers will prey on a system's weakest points to harvest its data. An important source of vulnerability occurs at runtime, when data is in use. In response, enterprise developers must leverage runtime encryption technologies with effective key management to secure sensitive data — and this is especially true in the cloud/multicloud environment.

However, while runtime encryption solutions using hardware-aided security have been available for years, they were not available in the public cloud. But this is changing. [Editor's note: Fortanix is one of a number of companies that offer runtime encryption services.] Cloud service providers (CSPs) now offer hardware platforms that enable runtime encryption solutions to be deployed in the cloud. Innovative new solutions for key management, along with an end-to-end approach to encrypting and securing data when it's at rest, in transit, and in use, are critical, as are related functions required to make cloud runtime encryption viable.

Data Security: The Two-Thirds Solution
Traditionally, it has been possible to protect data by encrypting it at rest and in transit. This got organizations two-thirds of the way to complete data protection. At runtime, however, data pulsing through the CPU was exposed. Before today's increasing adoption of technologies such as Intel Software Guard Extensions (Intel SGX), runtime encryption was impractical. Comparable solutions, such as fully homomorphic encryption, have proved impractical for many of today's complex application use cases.

Requirements for Effective Runtime Data Encryption
New runtime encryption solutions fill the security void when data reaches the CPU by creating a trusted execution environment (TEE) within which sensitive applications and data are protected. TEEs enable general-purpose computation on encrypted data without exposing plaintext application code or data and are designed to provide complete cryptographic protection for applications at the performance level that enterprises require.

To provide holistic protection, however, runtime encryption solutions must take a life cycle-based approach to data security. From the earliest stage of application development, the solution must be capable of integrating encryption and/or tokenization to secure sensitive data, in addition to the hardware-aided security provided by a TEE. Leveraging centralized logging of cryptographic operations and policy definition/enforcement for auditability and compliance should also be an important part of the management life cycle. The solution must be able to guarantee the execution of validated software securely inside a TEE, where it is protected from all threats while ensuring the security of data at rest and in transit.

The Cloud: A Runtime Data Security Conundrum
A potential barrier to the end-to-end security that runtime encryption must provide has been the need to host the keys used to encrypt and decrypt sensitive data by the CSP. Although securing data at runtime using a TEE protects application code and data from unauthorized system or root-user access, the data remains vulnerable unless organizations maintain exclusive control over their cryptographic keys. With "bring your own key" (BYOK) functionality, organizations can provide a known key to encrypt and decrypt data, but the CSP holds this key within its proprietary key store — which should make security managers uncomfortable. The problem of securing data and cryptographic keys on a CSP's platform must be resolved if the benefits of runtime encryption are to be fully realized.

Better Security Controls for Cloud Workloads
Innovations in cloud-native APIs make it possible for users to integrate their own key management systems in order to retain control of the keys that applications deployed in the cloud require. With a "bring your own key management system" (BYOKMS), organizations store their encryption keys in a hardware security module (HSM) in their data centers or within a contracted facility. The API connects the HSM to the cloud service, with keys retrieved from the HSM when needed by an application. This enables keys to work seamlessly with runtime encryption in the cloud, with a single point of control for management and auditability. As a unified system, BYOKMS solutions can handle data encryption, tokenization, and shared secrets while spanning on-premises, hybrid cloud, and public cloud environments.

With BYOKMS, organizations retain exclusive control over who can see their data. This enables a number of specific benefits, including:

  • Compliant application mobility: When organizations control their own keys, they can move applications to the public cloud, even if they are bound by regulations.
  • Distributed security: By combining a zero-trust model and an "interconnection-first" approach, organizations can distribute security as a means to address scale and integration challenges.
  • Keys less likely to be compromised: BYOKMS cuts down the odds of key secrecy being violated in shared infrastructure. Even the CSP or government officials won't be able to access them. 
  • GDPR compliance: Key management with regional isolation provides compliance with the EU's General Data Protection Regulation (GDPR) and other data sovereignty laws.
  • GRC standards met within a multicloud environment: If your organization's governance, risk, and compliance (GRC) policies call for pervasive data encryption, you can now adhere to the policies while migrating applications and data into multicloud, public cloud, or hybrid environments.

More broadly, the BYOKMS approach leads to predictable consumption. Organizations can move workloads across multiple clouds to manage load levels without concern for data vulnerability. They can also integrate applications more flexibly because it doesn't matter where the data resides. Data is protected at runtime across all instances, even in the public cloud. This is possible without negatively affecting application performance. By storing keys in data centers that are close to critical apps, end-to-end cryptographic security incorporating runtime encryption won't slow down data processing.

Putting Cloud Runtime Encryption to Work
Moving sensitive data to cloud infrastructure is only partly about getting the right tools. Trusting the cloud involves a change in mindset. You must be ready to embrace runtime encryption in the cloud. Your developers should understand the new APIs for securing data in the cloud. Security staff tasked with key management must think differently about the key management life cycle. All of this is possible, though. Runtime encryption in the cloud is real.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "8 Things Users Do That Make Security Pros Miserable."


Faiyaz Shahpurwala is the Chief Product and Strategy Officer for Fortanix. Prior to Fortanix, he held key senior leadership positions at IBM and Cisco. He was most recently VP/GM for IBM Cloud, and before that he was SVP at Cisco Systems, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.