Encryption Isn’t Enough to Protect Applications in the Cloud
Moving an application from a corporate data center to the cloud doesn’t fundamentally change the security risks it faces. What changes is the potential exposure to those risks, the potential safeguards against those risks, and how the business can monitor the application and control for those risks.
For many, encryption is the main approach taken to protect applications in the cloud. Compliance regulations may even make encryption mandatory, at least for data at risk. But encryption on data at rest doesn’t protect data in motion, or data in use. And encryption has its own limitations.
The Limitations of Encryption
Encrypting data at rest requires someone to encrypt the data before it goes to storage. While it’s easy to use encryption offered by the cloud provider, in those cases the cloud provider controls the keys. That means the data is vulnerable to being accessed without your knowledge, either authorized by a secret “backdoor” government subpoena or by a malicious employee of the cloud provider. When companies control their own keys, security may be increased, but the company needs to implement a process to securely manage those keys.
Encrypting data in motion—in transit between the corporate site and the cloud—is theoretically straightforward, through the use of secure connections. That works when data is transported over the wire. But sometimes, getting data to the cloud provider means loading it onto a device and physically shipping that device to the cloud provider. Building encryption and decryption into that process can add to the complexity of the data migration process.
Encrypting data in use, meaning data loaded into the computer’s memory, was never a concern when the computer loading the data belonged to the company. The servers at a cloud provider are shared, however, and data in memory is at least hypothetically vulnerable to exposure due to bugs in the hypervisors. While there are methods to encrypt data in use, they aren’t industry standard or widely available yet.
Additional Controls Add Additional Protection
Encryption just means that unauthorized users can’t read the data. Its limitations mean that additional controls are needed to fully protect data. Additional security controls include:
- Manage user accounts properly: Limit the number of individuals granted administrative rights to company clouds. Use identity and access management to ensure that users and roles are granted only the privileges they require. For additional security, use contextual information, such as the user’s device and location, to grant access.
- Audit application usage: The logs kept by cloud providers often don’t provide the fine-grained access records and audit trail needed to reconstruct the sequence of events that led to an incident. Use third-party tools to ensure you have the information you need to detect and alert on unusual access.
- Use data loss prevention (DLP) software: Some data simply shouldn’t be in the cloud. Use DLP to make sure this data remains in your corporate data center.
Are you properly protecting your data in the cloud? With experts in cybersecurity and experts in Microsoft Azure on our team, Prescient Solutions can help you make effective use of encryption and other security tools to keep your data safe wherever it resides. Contact us to arrange an assessment of your risks and to discuss your new cloud security strategy.