Security is a fundamental consideration in every IT project. There are techniques, habits, and levels of encryption that provide protection against attacks beyond the degree of reasonable risk.

So, why are organisations so anxious about security within the Cloud?

This article aims to provide a basic guide and overview of encryption within the Cloud, exploring key concepts and how to ensure data security.

Key Concepts for Understanding Encryption in the Cloud

In its simplest form, encryption is the act of making information unreadable and therefore preventing unauthorised access to the content. It is used to ensure that data is kept secure and protected from being compromised.

Encryption can be used for data at rest (data that is persistently stored in digital forms e.g. object stores or databases), or for data in transit (data that is in motion through private or public networks).

There are some concepts that need to be understood when working with encryption:

● Decryption is the reverse process of encryption. It reads the encrypted text and converts it to readable text by making use of encryption keys

● Cryptography is the practice of securing communication of information at rest or in transit. Encryption and decryption are components of cryptography

● Cleartext is text that is readable by humans but is not involved in any encryption process

● Plaintext is normal, readable information e.g. “hello world”. This data can be easily read by humans or processed by technology. Plaintext refers to information before or after an encryption or decryption process

● Ciphertext is the text that is the result of an encryption process. It is in encrypted form and is unreadable by humans

● Encryption keys are random strings that are used to transform plaintext data into ciphertext. They are created with algorithms (ciphers) that are used to encrypt or decrypt text

How plaintext is converted into ciphertext during the encryption process and how the reverse process of decryption transforms ciphertext into plaintext.

Making Encryption Work

There are two main types of encryption: Symmetric and Asymmetric.

Symmetric encryption, like AES, DES, RC, and Blowfish, makes use of a single encryption key to both encrypt and decrypt information. Symmetric keys are typically used with data at rest.

The advantages of using symmetric encryption are speed and simplicity.

Symmetric encryption. A single key is used to encrypt and decrypt information.

In contrast, with asymmetric keys or “public-key cryptography” (typically used with data in transit) a public key is used to encrypt information and the private key is used to decrypt. This naturally adds complexity for anyone hoping to compromise the system.

Some common examples of asymmetric encryption techniques are RSA and DSA. Key pairs can be created using tools such as ssh-keygen or PuTTYgen.

Asymmetric encryption. A public key can be used to encrypt information while a private key can be used to decrypt the information.

To add another layer of security, envelope encryption can be utilised to avoid keys that are in plaintext. This is the process of encrypting the data key using a master key or key-encryption key (KEK), making the data key itself difficult to compromise.

Managing Encryption Keys

The encryption key lifecycle process should be implemented with the use of (regularly updated) encryption keys.

The National Institute of Standards and Technology (NIST) refers to the time that an encryption key is active as the “cryptoperiod”.

NIST has a recommended encryption key lifecycle policy that contains a list of states the key can exist in. It describes the purpose of each key state, along with the allowed transition of the key state from the current state during its lifecycle.

The stages defined are:

● Pre-Activation — the key has been created and is not being used for encryption

● Active — the key is operational and is being used for encryption to protect information

● Suspended — the key is not active and is potentially being used for an incident investigation. It can be restored to an Active, Compromised or Deactivated state

● Deactivated — the key cannot be used for encryption. It may still be required and therefore may be restored to an Active state

● Compromised — the key has deemed to be available by unauthorised access and cannot be used for encryption

● Destroyed — the key has been destroyed as it is no longer required. Audit records and some metadata of the key may still exist

The Cloud Security Alliance (CSA) state that there are 4 main ways in which keys can be managed:

● Virtual application/software — an appliance or software key manager

● Cloud Provider service — KMS offered by a Cloud Provider

● HSM/appliance — a physical security module which can be on-premise or in the cloud

● Hybrid — a combination of the other options such as using HSM with a software-based KMS

Key rotation can be implemented by making use of a Key Management Service (KMS) made available by Cloud Providers or by third parties. They can provide the ability to transition through the key states automatically or manually and generate new encryption keys.

KMS in the Cloud

Cloud KMS provides a number of features to Cloud Users who may not want to manage underlying key management hardware and infrastructure. The benefits of KMS are shown below:

● Availability — make use of the Cloud Provider platform to ensure that the key infrastructure is highly available. Key caching can be used to improve latency

● Customer keys — allow for Cloud Users to create and manage their own keys, therefore, offering flexibility to carry out the user requirements

● Integration — with the Cloud Provider services to ease the use of encryption keys with any platform as a service (PaaS) resource

There can be limitations to using Cloud KMS, such as the size and the number of requests for the keys. There may also be some master key export restrictions. Some limitations can be overcome by encrypting data locally before it is transferred into the Cloud and by self-managing some aspects of the encryption key lifecycle.

A Cloud Access Security Broker (CASB) is a service that resides between the Cloud User and Cloud Provider or cloud applications. They can offer a number of security services such as monitoring, alerting and security policy enforcement.

CASBs have encryption management services and integration with KMS or HSMs. A CASB management service is useful in multi-environment architectures, providing a single view of information.

Which Data to Encrypt

It is vital that all data should be encrypted where possible, which ensures that there is a robust layer of security applied to key information. There are two main types of encryption, symmetric and asymmetric. The type of encryption used must be decided from an information assessment and the use of the information requiring protection.

There are many services in the Cloud that can be used to support encryption and key management. They have benefits such as key access, lifecycle management, caching and availability. Many provide the use of Hardware Security Modules which may be a regulatory requirement.

Enabling encryption can be as simple as checking a flag in a web console. However, the encryption policy of an organisation should be formed after planning, management and requirements are gathered.

As an organisation grows, the use of multi-Cloud services tends to grow alongside it, which increases the attack area of its architecture and the likelihood of encryption keys being compromised. If you’re absolutely serious about customers’ security in the Cloud, you have to understand the basics before you can provide any guarantees.

About the Author

Sat Gainda is a Cloud Solutions Architect at Version 1, working on enterprise-level engagements that utilise innovative Cloud systems. Stay tuned to Version 1 on Medium for more Cloud-focused posts from Sat.