Yes, my data is secure in the cloud.
Implementing a data-centric approach.
Today, data security has become a major issue, as millions of people hand over their personal and financial information to various organizations. What degree of trust should one have in these companies and their support staff as this sensitive information is handed over?
The best method to protect personal information from hackers is with a Data-Centric security approach.
Perimetric vs. Data-Centric
These days, most customer data are stored by SaaS (Software as a Service) vendors and social media companies on “public cloud servers,” which by definition, are accessible on public networks. The primary network security mechanism of these companies involves firewalls - also classified as perimeter security. Unfortunately, conventional network security alone is no longer sufficient with today’s traffic volumes and data sharing patterns observed between various systems. In effect, the sensitive data is vulnerable and misused by bad actors.
As evident by major organizational security breaches(Table A), there are various reasons as to why hackers attempt to gain access to the underlying data. These breaches are avoidable if the data is disguised and encrypted. This is where data-centric security comes into the picture. When data is encrypted, it ensures that hackers cannot make any sense of the information even if they get their hands on it while sitting in the operating systems or on storage devices. Encryption of this information thus plays a significant role in authentication, privacy, and access control mechanisms.
Every cloud service must be secured
Overall Security of Application Infrastructure
Data-Centric Security Tools Provided by Public Cloud Vendors
Even though running cloud-based systems may seem challenging from a security perspective, in reality, cloud hosting companies, such as AWS, provide comprehensive and consistent tools to implement and manage data with security policies, doing so easily and cost-effectively. These tools facilitate every security aspect, such as user authentication, connectivity, data transfers, data processing, data storage, and related access control, thereby allowing customers to effectively monitor the systems' security.
Keeping the scope of this discussion limited to data storage in the cloud, let’s explore some tools offered by major public cloud providers. Beyond basic user authentication, data encryption plays a vital role in ensuring that data at rest does not get into the hands of hackers.
Securing Data Protection Layers
Data access layers are classified as Data in Motion and Data at Rest from a typical web application security perspective. Both data at rest as well as data in motion, must be protected.
Data in Motion
Data in motion refers to network connectivity to the cloud and other internal and external services. User access, such as APIs and data transfer, needs to be secured to ensure that data is not visible in clear-text and not easily breached.
Here are some good use cases of encryption to protect data in motion.
HTTPS - Client connectivity such as user access is commonly secured with secure http connections (https)
o Single-sign-on (SSO)- authentication using protocols such as Security Assertion Markup Language (SAML), is similar to a password management feature like keychain.
Cloud Access Security Brokers (CASB) are used to monitor traffic flow between the customer and the cloud infrastructure to enforce security policies.
Data at Rest
Cloud hosting companies provide various data storage services with different durability and performance factors to optimize usage and associated costs to customers. All of these storage types must be encrypted to ensure that there is no data breach.
Storage Device Types
Block storage is used for building file system volumes and database devices.
Object Storage, such as S3, is used for network storage. S3 technology with associated APIs are used primarily for storing static content such as files, volume snapshots, and machine Images on this highly scalable and durable platform.
Very Long-Term Storage and Archives are performed on AWS Glacier at the lowest cost for backups and regulatory purposes.
Network File Storage such as Elastic File System (EFS), which is similar to UNIX NFS, is a highly scalable and redundant storage service.
Securing Databases
Fully Managed Services - Most concerning areas of data security are relational and non-relational databases, where the majority of sensitive data is commonly stored.
How are these databases secured?
No database Encryption - In many cases, relational databases (RDBMS) such as MSSQL Server, MySQL, etc. are setup by application vendors only with basic authentication and without any database encryption, leaving the customers’ data vulnerable. As data sensitivity increases, a variety of encryption technologies are used to encrypt the underlying data.
Transparent Data Encryption (TDE) - This technology facilitates encryption of all the data on databases, in addition to securing underlying devices. It ensures that hackers do not get access to data from RDBMS logs and backups. With TDE, as the name suggests, all the encryptions and decryptions are transparently handled by server engines, reducing the majority of overhead from the application layer from performance, as well as from a housekeeping perspective. Encryption of the user connection to the database is also handled by SSL implementation.
Database Column or Cell level encryption - This technique is performed for highly sensitive information to protect specific data from individual users at a very granular level. This type of encryption, in some cases, provides user-level access control only on certain columns. It can be a highly secure, yet cost-effective, solution with very low performance overhead.
Fully managed Relational Databases (RDS) and Data Warehouses - AWS extends their encryption services to RDS, and to warehouses, such as Redshift, or to NOSQL databases, such as Athena and Dynamo db. This gives a seamless and consistent experience for implementation engineers.
Is encryption an innovation?
Security of services is not a new problem to solve in the shared services environment like hotels, offices, libraries, gyms, etc. Let’s compare to see how today’s encryption techniques are astonishingly similar to real-life security mechanisms we have been using for decades to secure these shared services.
Note that data encryption levels vary from no encryption to very comprehensive levels of encryption. In most cases, the tools differ based on a simple question - who has the key?
Scenario #1: No encryption
Many times, people leave their cars unlocked with essential belongings inside. If an unauthorized individual gets access to the vehicle, they can easily steal the belongings and the car.
This scenario is like having no encryption on sensitive data. There are several cases of major organizations who had their data stolen and misused, a preventable event with the implementation of simple key lock types of encryption techniques. This option is not recommended when privacy and confidentiality are important.
Why is data at rest not encrypted? Due to a lack of awareness, tools, resources, or the cost of implementation, most sensitive data to date remains unencrypted and, therefore, vulnerable. In 2019, only 9.4% of cloud providers encrypted data stored at rest in the cloud. (ref: McAfee research)
Refer to the chart below of breaches that could have been prevented had the companies used simple encryption methods.
Scenario #2: Data Encrypted by Cloud Provider
It is common to share sensitive documents and information with professional service providers such as accountants, lawyers, brokers, and others. In our daily life, there is also the practice of sharing valuable physical belongings, such as cars with a Valet. There is a certain level of trust in those service providers, and the expectation is that those providers will keep your information or belongings secure and confidential without misuse.
In summary, the provider offers services and security, making it convenient for the customer to use those services with some level of shared access.
In a similar type of scenario, cloud providers provide services where, with a click of a single checkbox, customers can choose to secure their shared sensitive data in the possession of a cloud provider. The provider would encrypt the data on the customer’s behalf and keep it safe. In this case, the cloud provider creates, manages, rotates, and secures the encryption keys per security best practices.
Customer’s Role-Based Access Control (RBAC) ensures that encryption and decryption are allowed only to the roles configured by the customer.
Although this type of security is often better than not encrypting the information at all, it has its limitations.
L
imitation: The customer has outsourced the service and sensitive information with full trust in a third party.
Scenario #3: Vendor encrypted data
People have been using banks for ages to store valuables such as jewelry. Actual items in the lockbox are unknown to bank employees. In this case, the bank provides only security and not a service.
Similar scenarios occur when customers decide to encrypt data themselves before storing it in cloud infrastructure. One of the most common examples is when a customer stores data for a long-term period that need not be actively accessed. In this case, cloud providers do not have access to secrets such as passwords or lock keys for the stored information.
Limitation: The downside of this, however, is that customers have to manage encryption, decryption, and secrets such as passwords from getting in the hands of anyone else. These contents cannot be actively used or serviced by the bank or by the customer while in the bank’s possession. It is also hard to manage key rotations.
Scenario #4: Cloud provider provides key management solution as a service (KMS).
While staying at a hotel, people often keep their room key at the front desk when leaving the hotel for dinner and when they return they take the key back. Every time the customer takes the key from the front desk, an access record is made in the ledger, indicating that the customer has potentially entered the hotel room. This key management makes the room access somewhat more auditable; at the same time, the customer has no risk of losing the key. The partial access allows hotel staff to service the rooms while the customer is away.
A similar type of Key Management System (KMS) is commonly used in cases where active data access and management is required. In most cases, when simple cloud provided encryption is not sufficient for customer operation, customers can create, manage, and safely store their encryption keys with cloud providers. Also, key rotations and access audits can be easily automated by cloud providers. Customers can also monitor information access patterns using tools that are provided.
This solution meets the balance between customer encrypted data and provider encrypted data. The customer does not have to share keys with various individuals in the organization, thereby eliminating the risk of losing keys and allowing for active application-level access of underlying data with real-time encryption and decryption API calls. KMS meets corporate audit requirements to a very high degree and is one of the most widely used encryption methods.
Limitation: Although there is an automatic ledger entry of access, KMS, by design, has the customer’s keys all the time. In theory, cloud providers can potentially deny access to the customer’s data, in which case customers can lose access to the data they own.
Scenario #5: Customer holds encryption keys (CMK)
There is an underlying fear of having your personal or confidential information getting into the wrong hands if devices such as mobile phones or laptops are lost or stolen. In such cases, features such as “remote content wipe” can come in handy. When a customer decides to use third party SaaS solution providers to manage their data in some capacity, they like vendors to ensure that only the customer user base can access (encrypt and decrypt) their data. Also, if there is a breach of trust or end of the relationship between the customer and a third party, third party access can be remotely revoked by customers.
In most sophisticated setups, large organizations can implement the CMK (Customer Managed Keys). In this solution, keys are remotely stored in their own infrastructure in Hardware Security Modules (HSM) devices.
The customer encrypts data stored with the provider with keys held by the CMK-KMS mechanism in HSM. The rest of the KMS features, such as key rotation, auditing, monitoring, and access control, are used by CMK.
In summary, CMK is an extension of KMS, by which customers can keep full control of data ownership.
Limitation: Although most secure out of all the above solutions, CMK has a considerable cost.
Richa Khanolkar
While in college, I interned as a junior and network admin for DbCom, a company with over 25 years of experience in FinTech and RegTech. Working on day-to-day infrastructure and network security management tasks allowed me to learn and grow. With a deep and rich understanding of cloud-based security, I now help companies become more aware, strategize, and implement best-practice solutions utilizing a data-centric security approach to help sustain their ecosystem.
Richa is a System Admin at DbCom specializing in Cloud Automation Services and a Certified AWS Engineer.
To reach Richa, send an email or connect with her via LinkedIn.
Email: richa.khanolkar@dbcomsys.com
LinkedIn: https://www.linkedin.com/in/richa-khanolkar-b33803143/