To boil down the very complex issues of cloud security into 4 short tips, they would be:
- encryption at rest
- encryption in transit
- controls over access
- ownership over security keys, credentials, and certificates
The best way to accomplish all 4 must haves is to abstract the network layer of the cloud. By separating the network layer and above – which includes the applications running in cloud – cloud users can regain full control over network access and security ownership.
encryption at rest and the mechanics of encryption
Cloud providers do a good job of offering encryption for data at rest in most service offerings. For example, Amazon offers encryption for AWS S3 storage, and Azure offers encryption on SQL databases.
From Amazon’s Protecting Data Using Encryption page:
Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers). You can protect data in transit by using SSL or by using client-side encryption. You have the following options of protecting data at rest in Amazon S3.
- Protecting Data Using Server-Side Encryption
- Protecting Data Using Client-Side Encryption
At the end of 2016, Azure announced strong 256-bit AES encryption Storage Service Encryption (SSE) for Data at Rest for all Storage Services. Similar to Amazon, Azure support docs state “data can be secured in transit between an application and Azure by using Client-Side Encryption, HTTPs, or SMB 3.0 ”
At-rest data storage services have multiple encryption options for security keys and credentials: cloud-managed encryption keys or customer-managed encryption keys. In AWS, Amazon offers to store encryption keys for you, either in the application or with the AWS Key Management System (KMS). Both options use strong AES 256-bit encryption and key rotation. Amazon KMS adds another key to your encryption key, the envelope key, and audit-able access logs. At the time of writing, Azure is still working on allowing customers to BYO encryption keys.
The no-brainer, but more complex, solution is to manage your security separate from the cloud provider.
A very important question to ask is ‘who has control over the encryption keys?’ An entity that has access to your keys could, theoretically, have access to the data. There is a high level of trust in cloud providers, but some enterprises and industries just cannot take that risk. Storing keys in a shared environment likely violates best practices and it security regulations including PCI DSS, HIPAA, GLBA and many others.
Cloud’s guaranteed access controls
In cloud, the more complicated of the four points are encryption in transit and controls over access. The lines between users’ responsibility and cloud providers’ responsibilities begin to blur in the Shared Responsibility Model. Cloud providers offer security services such a key management, IAM, and network access control lists (ACLs) but cloud users must enable and mange those security features.
When fully configured, security groups and network ACLs can envelop cloud applications with better security than self-managed data center networks. Cloud providers have made the investment to provide state-of-the-art facilities, experienced staff, and the latest equipment distributed across the globe. Clouds like AWS and Azure do a better job at security because their business relies on it and they have the immense resources to stay current on security requirements and technologies.
Encryption in transit
Cloud providers rarely mention what they don’t encrypt. In the screen shot above, I found a rare example of Amazon explicitly telling cloud users that data is not encrypted between AWS regions. In other words, data traveling from US-East-1 to EU-West-2 can travel over the public internet, unencrypted.
Application layer security remains universal and largely unanswered by cloud providers. In their PCI documentation, AWS notes that “Amazon VPC inherently isolates the components within Amazon VPC from all other VPCs.” If you only operate within a single VPC, then the network isolation might be enough.
But, what if you need multi-region, or even multi-cloud network connectivity? Peered VPCs or VLANs do not have end-to-end encryption. Transitive routing isn’t possible in AWS or Azure. How can you encrypt data in transit between cloud regions? Who else can access data in flight?
Overlay Networks for full network encryption and controls
Another, abstracted network above the cloud provider’s control can let enterprises build secure, sealed off networks over the top of public cloud resources. Enterprises could even extend data center networks into the cloud with bridged IPsec connections between cloud regions and networks.
A separate network can add full end-to-end encryption and guarantee cloud users’ data is private and can only be accessed within the network.
Find out how VNS3 can help you add encryption in transit and full access controls in any cloud.
By: Margaret Valtierra