Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly
E-Mail vvv

Solving the Cloud Data Security Conundrum

Trusting the cloud involves a change in mindset. You must be ready to use runtime encryption in the cloud.

As we have seen in several major cybersecurity breaches, attackers will prey on a system's weakest points to harvest its data. An important source of vulnerability occurs at runtime, when data is in use. In response, enterprise developers must leverage runtime encryption technologies with effective key management to secure sensitive data — and this is especially true in the cloud/multicloud environment.

However, while runtime encryption solutions using hardware-aided security have been available for years, they were not available in the public cloud. But this is changing. [Editor's note: Fortanix is one of a number of companies that offer runtime encryption services.] Cloud service providers (CSPs) now offer hardware platforms that enable runtime encryption solutions to be deployed in the cloud. Innovative new solutions for key management, along with an end-to-end approach to encrypting and securing data when it's at rest, in transit, and in use, are critical, as are related functions required to make cloud runtime encryption viable.

Data Security: The Two-Thirds Solution
Traditionally, it has been possible to protect data by encrypting it at rest and in transit. This got organizations two-thirds of the way to complete data protection. At runtime, however, data pulsing through the CPU was exposed. Before today's increasing adoption of technologies such as Intel Software Guard Extensions (Intel SGX), runtime encryption was impractical. Comparable solutions, such as fully homomorphic encryption, have proved impractical for many of today's complex application use cases.

Requirements for Effective Runtime Data Encryption
New runtime encryption solutions fill the security void when data reaches the CPU by creating a trusted execution environment (TEE) within which sensitive applications and data are protected. TEEs enable general-purpose computation on encrypted data without exposing plaintext application code or data and are designed to provide complete cryptographic protection for applications at the performance level that enterprises require.

To provide holistic protection, however, runtime encryption solutions must take a life cycle-based approach to data security. From the earliest stage of application development, the solution must be capable of integrating encryption and/or tokenization to secure sensitive data, in addition to the hardware-aided security provided by a TEE. Leveraging centralized logging of cryptographic operations and policy definition/enforcement for auditability and compliance should also be an important part of the management life cycle. The solution must be able to guarantee the execution of validated software securely inside a TEE, where it is protected from all threats while ensuring the security of data at rest and in transit.

The Cloud: A Runtime Data Security Conundrum
A potential barrier to the end-to-end security that runtime encryption must provide has been the need to host the keys used to encrypt and decrypt sensitive data by the CSP. Although securing data at runtime using a TEE protects application code and data from unauthorized system or root-user access, the data remains vulnerable unless organizations maintain exclusive control over their cryptographic keys. With "bring your own key" (BYOK) functionality, organizations can provide a known key to encrypt and decrypt data, but the CSP holds this key within its proprietary key store — which should make security managers uncomfortable. The problem of securing data and cryptographic keys on a CSP's platform must be resolved if the benefits of runtime encryption are to be fully realized.

Better Security Controls for Cloud Workloads
Innovations in cloud-native APIs make it possible for users to integrate their own key management systems in order to retain control of the keys that applications deployed in the cloud require. With a "bring your own key management system" (BYOKMS), organizations store their encryption keys in a hardware security module (HSM) in their data centers or within a contracted facility. The API connects the HSM to the cloud service, with keys retrieved from the HSM when needed by an application. This enables keys to work seamlessly with runtime encryption in the cloud, with a single point of control for management and auditability. As a unified system, BYOKMS solutions can handle data encryption, tokenization, and shared secrets while spanning on-premises, hybrid cloud, and public cloud environments.

With BYOKMS, organizations retain exclusive control over who can see their data. This enables a number of specific benefits, including:

  • Compliant application mobility: When organizations control their own keys, they can move applications to the public cloud, even if they are bound by regulations.
  • Distributed security: By combining a zero-trust model and an "interconnection-first" approach, organizations can distribute security as a means to address scale and integration challenges.
  • Keys less likely to be compromised: BYOKMS cuts down the odds of key secrecy being violated in shared infrastructure. Even the CSP or government officials won't be able to access them. 
  • GDPR compliance: Key management with regional isolation provides compliance with the EU's General Data Protection Regulation (GDPR) and other data sovereignty laws.
  • GRC standards met within a multicloud environment: If your organization's governance, risk, and compliance (GRC) policies call for pervasive data encryption, you can now adhere to the policies while migrating applications and data into multicloud, public cloud, or hybrid environments.

More broadly, the BYOKMS approach leads to predictable consumption. Organizations can move workloads across multiple clouds to manage load levels without concern for data vulnerability. They can also integrate applications more flexibly because it doesn't matter where the data resides. Data is protected at runtime across all instances, even in the public cloud. This is possible without negatively affecting application performance. By storing keys in data centers that are close to critical apps, end-to-end cryptographic security incorporating runtime encryption won't slow down data processing.

Putting Cloud Runtime Encryption to Work
Moving sensitive data to cloud infrastructure is only partly about getting the right tools. Trusting the cloud involves a change in mindset. You must be ready to embrace runtime encryption in the cloud. Your developers should understand the new APIs for securing data in the cloud. Security staff tasked with key management must think differently about the key management life cycle. All of this is possible, though. Runtime encryption in the cloud is real.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "8 Things Users Do That Make Security Pros Miserable."


Faiyaz Shahpurwala is the Chief Product and Strategy Officer for Fortanix. Prior to Fortanix, he held key senior leadership positions at IBM and Cisco. He was most recently VP/GM for IBM Cloud, and before that he was SVP at Cisco Systems, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
PUBLISHED: 2020-09-30
In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
PUBLISHED: 2020-09-30
A DLL Hijacking vulnerability in Eaton's 9000x Programming and Configuration Software v 2.0.38 and prior allows an attacker to execute arbitrary code by replacing the required DLLs with malicious DLLs when the software try to load vci11un6.DLL and cinpl.DLL.