Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly
E-Mail vvv

Solving the Cloud Data Security Conundrum

Trusting the cloud involves a change in mindset. You must be ready to use runtime encryption in the cloud.

As we have seen in several major cybersecurity breaches, attackers will prey on a system's weakest points to harvest its data. An important source of vulnerability occurs at runtime, when data is in use. In response, enterprise developers must leverage runtime encryption technologies with effective key management to secure sensitive data — and this is especially true in the cloud/multicloud environment.

However, while runtime encryption solutions using hardware-aided security have been available for years, they were not available in the public cloud. But this is changing. [Editor's note: Fortanix is one of a number of companies that offer runtime encryption services.] Cloud service providers (CSPs) now offer hardware platforms that enable runtime encryption solutions to be deployed in the cloud. Innovative new solutions for key management, along with an end-to-end approach to encrypting and securing data when it's at rest, in transit, and in use, are critical, as are related functions required to make cloud runtime encryption viable.

Data Security: The Two-Thirds Solution
Traditionally, it has been possible to protect data by encrypting it at rest and in transit. This got organizations two-thirds of the way to complete data protection. At runtime, however, data pulsing through the CPU was exposed. Before today's increasing adoption of technologies such as Intel Software Guard Extensions (Intel SGX), runtime encryption was impractical. Comparable solutions, such as fully homomorphic encryption, have proved impractical for many of today's complex application use cases.

Requirements for Effective Runtime Data Encryption
New runtime encryption solutions fill the security void when data reaches the CPU by creating a trusted execution environment (TEE) within which sensitive applications and data are protected. TEEs enable general-purpose computation on encrypted data without exposing plaintext application code or data and are designed to provide complete cryptographic protection for applications at the performance level that enterprises require.

To provide holistic protection, however, runtime encryption solutions must take a life cycle-based approach to data security. From the earliest stage of application development, the solution must be capable of integrating encryption and/or tokenization to secure sensitive data, in addition to the hardware-aided security provided by a TEE. Leveraging centralized logging of cryptographic operations and policy definition/enforcement for auditability and compliance should also be an important part of the management life cycle. The solution must be able to guarantee the execution of validated software securely inside a TEE, where it is protected from all threats while ensuring the security of data at rest and in transit.

The Cloud: A Runtime Data Security Conundrum
A potential barrier to the end-to-end security that runtime encryption must provide has been the need to host the keys used to encrypt and decrypt sensitive data by the CSP. Although securing data at runtime using a TEE protects application code and data from unauthorized system or root-user access, the data remains vulnerable unless organizations maintain exclusive control over their cryptographic keys. With "bring your own key" (BYOK) functionality, organizations can provide a known key to encrypt and decrypt data, but the CSP holds this key within its proprietary key store — which should make security managers uncomfortable. The problem of securing data and cryptographic keys on a CSP's platform must be resolved if the benefits of runtime encryption are to be fully realized.

Better Security Controls for Cloud Workloads
Innovations in cloud-native APIs make it possible for users to integrate their own key management systems in order to retain control of the keys that applications deployed in the cloud require. With a "bring your own key management system" (BYOKMS), organizations store their encryption keys in a hardware security module (HSM) in their data centers or within a contracted facility. The API connects the HSM to the cloud service, with keys retrieved from the HSM when needed by an application. This enables keys to work seamlessly with runtime encryption in the cloud, with a single point of control for management and auditability. As a unified system, BYOKMS solutions can handle data encryption, tokenization, and shared secrets while spanning on-premises, hybrid cloud, and public cloud environments.

With BYOKMS, organizations retain exclusive control over who can see their data. This enables a number of specific benefits, including:

  • Compliant application mobility: When organizations control their own keys, they can move applications to the public cloud, even if they are bound by regulations.
  • Distributed security: By combining a zero-trust model and an "interconnection-first" approach, organizations can distribute security as a means to address scale and integration challenges.
  • Keys less likely to be compromised: BYOKMS cuts down the odds of key secrecy being violated in shared infrastructure. Even the CSP or government officials won't be able to access them. 
  • GDPR compliance: Key management with regional isolation provides compliance with the EU's General Data Protection Regulation (GDPR) and other data sovereignty laws.
  • GRC standards met within a multicloud environment: If your organization's governance, risk, and compliance (GRC) policies call for pervasive data encryption, you can now adhere to the policies while migrating applications and data into multicloud, public cloud, or hybrid environments.

More broadly, the BYOKMS approach leads to predictable consumption. Organizations can move workloads across multiple clouds to manage load levels without concern for data vulnerability. They can also integrate applications more flexibly because it doesn't matter where the data resides. Data is protected at runtime across all instances, even in the public cloud. This is possible without negatively affecting application performance. By storing keys in data centers that are close to critical apps, end-to-end cryptographic security incorporating runtime encryption won't slow down data processing.

Putting Cloud Runtime Encryption to Work
Moving sensitive data to cloud infrastructure is only partly about getting the right tools. Trusting the cloud involves a change in mindset. You must be ready to embrace runtime encryption in the cloud. Your developers should understand the new APIs for securing data in the cloud. Security staff tasked with key management must think differently about the key management life cycle. All of this is possible, though. Runtime encryption in the cloud is real.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "8 Things Users Do That Make Security Pros Miserable."


Faiyaz Shahpurwala is the Chief Product and Strategy Officer for Fortanix. Prior to Fortanix, he held key senior leadership positions at IBM and Cisco. He was most recently VP/GM for IBM Cloud, and before that he was SVP at Cisco Systems, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-06
An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
PUBLISHED: 2020-04-05
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
PUBLISHED: 2020-04-05
PRTG Network Monitor before allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.