In 2016, 68 million account of Dropbox users were compromised. The attacker took advantage of a poorly kept employee password to gain access to emails and passwords from exposed accounts that were created in 2012 and earlier. The data was available on the dark web for sale until it was picked up by several tech and security publications.
While cloud storage is convenient and gives access to data anywhere, anytime, regardless of the device you’re on, cloud storage security is a matter of grave concern to organizations.
Storing data in the cloud means your confidential files and sensitive data are exposed to new forms of risks. Data stored on the cloud is outside of the limits of many safeguards used to protect sensitive data in your organization’s data center.
Therefore, when it comes to cloud storage, organizations have to take additional measures to secure cloud storage beyond the basic security measures offered by cloud storage providers like Dropbox, Amazon, Microsoft, and Google.
Cloud storage security is a shared responsibility
Cloud storage providers and organizations share responsibility for cloud storage security. Cloud storage providers protect your data from intrusions and data thefts. Organizations are supposed to supplement those features with added security measures to strengthen cloud data protection and restrict access to sensitive information in the cloud.
Cloud storage providers can do little to protect your sensitive data against unauthorized access if your employees were being reckless. You must educate employees in your organization about the potential risks they may unwillingly expose your organization’s data to.
Cloud storage providers offer data protection solutions to organizations. These solutions grant complete visibility and policy-based control over how data can be moved to and from the cloud. The practice ensures only authorized data leaves your organization and only upon approval from a conducting party.
At the end of the day, it is up to the organizations whether they want to impose these firmer shields around important data on top of what the cloud storage providers offer already. Nonetheless, another layer of defense can save your data if the provider experiences a security breach.
Choosing a cloud storage security solution
When choosing a cloud storage security solution, an organization should ensure that it provides continuous monitoring and visibility to all forms of data interactions with the cloud storage. It should provide granular control over movements of files filtered to user-agent and operating system events.
Leading cloud storage providers also extend data protection measures to the data stored by the process of encryption. Encrypted data is cryptographically locked to a private key and cannot be decrypted unless the private key was made available.
Importance of data encryption
Cloud storage providers ensure not only integrity and availability of data but also its confidentiality. That is, even in the case of a breach when the attacker has gained access to your credentials, your data would still be encrypted and thus incomprehensible to an attacker. Just in case the attacker wishes to gain access to your data too by logging through one of those credentials or wants to sell it on the dark web.
Data encryption protects the privacy of your data by rendering it incomprehensible to anyone lacking access to the “key” to unlock the data. Encrypted data look like a long stream of random characters.
Encryption is critical to the privacy of your data but it isn’t a solution to all your security problems. The best security practices take a multi-layer approach. The data must be secured end to end. Data encryption is key to user authentication, data integrity, digital signatures, and non-repudiation.
The data must be encrypted in transit and rest. Data encryption at transit is the basis to secure communication between two parties. Data encryption at rest is all about maintaining the confidentiality of the stored data.
Security is no longer a luxury but a necessity and is no longer a concern to your Chief information Security Officer (CISO). Today, data security is the accountability of every IT professional. Let’s see how data encryption works with cloud storage providers.
Data Encryption in the Cloud
When you are talking about storing data away from your data centers to cloud storage repositories including Amazon S3, Google Cloud Storage, and Azure Blob Storage, it is imperative to understand they are only accountable for securing their cloud storage infrastructure from intrusion and data thefts. Major cloud storage vendors employ enterprise-grade security and thus are, virtually, impregnable.
A person disguising as an employee may still gain access to your data, decrypt it, and push it to his server without the vendor raising any flag. To counter this, cloud storage vendors provide tools to restrict access control and monitor data going out of your storage account. Your organization is responsible for making most of these tools to secure permission to your data at a granular level.
For this article, we will restrict the scope to only data-at-rest encryption. Cloud service providers employ TLS for encrypting data in transit. TLS is an open protocol and thus doesn’t vary much from vendor to vendor.
When it comes to data at rest, each cloud storage provider brings in its own cryptographic approach, including encryption techniques, private key management, and ciphers. All-in-all, there are two sides to encryption: Server-side and Client-side
Server-Side vs. Client-Side Encryption
With server-side encryption, data isn’t encrypted until transferred to the recipient, in this case, the object storage service. Fortunately, all major cloud storage providers offer server-side encryption with some dissimilarities in implementation details, especially in regards to the storage of private keys.
With client-side encryption, data is encrypted at the sender’s end and prior to being transferred to the recipient, in this case also the object storage service. Again, all major cloud storage providers allow for client-side encryption with some degrees of variations.
Pros and cons of Data Encryption in the Cloud
Data encryption is vital in today’s world experiencing the increasing incidents of thefts and cybercrimes. Data encryption is also crucial from the confidentiality opinion. If you don’t need your personal information to be available to anyone outside your organization, then the optimal way would be to protecting your data with end-to-end encryption to and from your organizations.
Moreover, high-risk data like medical and financial records must be encrypted all the time, accessible to only authorized people in your organization, and must be monitored closely whenever sent outside your organization.
Pros of data encryption
Improved Data Security
The data is at higher risk while it is being moved from one place to another. That is when encryption is necessary the most. Encryption works either at the transport level or rest, thus decreasing the risk of getting attacked by a man-in-middle.
Confidentiality
Confidentiality is the chief reason data encryption is used to lock security, privacy, and sensitive information of the people. At the same time, it provides privacy and lowers the chances of fraud.
Reliability
Data encryption guards your valuable data resources against getting into the hand of a cybercriminal. While the encrypted data is not totally resistant to cyber frauds and attacks, the data owners can certainly identify any malicious occurrences to their data at any time which provides them better odds to take a primary action.
Compliance
Encryption is one of the securest techniques to store and move the data as it conforms to the limitations forced by your organization such as FIPS, FISMA, HIPAA, or PCI/DSS.
Cons of data encryption
While cloud security and data encryption have been confirmed as the most efficient way to protect your valued info, they have their share of limitations.
Cumbersome Data Recovery
Data Encryption is a prodigious way to guard your sensitive data. But occasionally it becomes harder to claim your data due to controlling data access tools.
Security bugs
One chief obstacle to data encryption is that it only provides partial security to the data which is already in transit.
Data transfer charges
Data Encryption can become an expensive matter because it needs highly sophisticated systems to preserve the encrypted data. The systems must also be scalable enough to upgrade which adds to the costs involved.
So these were some crucial pros and cons of data encryption. Whether you want to secure your business data with cloud encryption is solely up to your discretion. Notwithstanding all the limitations, data encryption in cloud storage is indeed a requirement.
Data Encryption and public cloud vendors
All major players into cloud storage, Amazon AWS S3, Microsoft Azure Blob Storage, and Google Cloud Storage, employ a common set of symmetric and asymmetric encryption techniques to secure the data and the key and provide server and client-side encryption. When it comes to the common symmetric and asymmetric encryption techniques in modern public cloud storage solutions, AES-256 and RSA respectively are pretty much the standards.
Below is a side-by-side comparison of encryption-at-rest across the three providers’ object storage services. As you may expect, the robustness of the service and the diversity of options are strongly correlated with the age of the cloud provider.
Is cloud storage for me? What are my options?
If you run a data-centric business with various locations and employees, then anywhere anytime accessibility matter to you more than anything. In that scenario, storing data in your organization’s local storage is not an option and you have to choose a reliable cloud storage solution
Fortunately, all cloud vendors offer decent options with top-of-the-line security measures built-in. They employ industry industry-standard encryption techniques to secure your data both on the client-side and server-side.
When it comes to data security in cloud storage solutions, breaches and data thefts are often the faults of administrators managing your organization’s storage accounts or a clueless employee who doesn’t know whom is he sending the decrypted data to.
With strong permission management, monitoring support, and access control, you can avert those risks by limiting access to sensitive pieces of information in your cloud storage.
Amazon with its S3 storage bucket makes access control with AWS Identity and Access Management (IAM) quite easier. With AWS IAM your admin can independently manage user permissions and grant granular permissions to your employees on your Amazon S3 bucket and folders and files in it.
Google Cloud IAM and Microsoft Azure IAM extend the same functionality to Azure Blob Storage and Google Cloud Storage, respectively.
Being in the game for a longer time, Amazon’s AWS S3 and IAM tend to be more sophisticated in terms of tweaks available, giving you unparalleled ways to customize the settings best to your organization’s security policy.
Microsoft’s Azure Blob Storage is also a wise choice if you’re already subscribed to other Microsoft Enterprise services like Microsoft 365 Enterprise. The level of integration Microsoft offers is still unmatchable by other cloud storage solutions in the market. Google Cloud Storage is also a viable contender if you are a medium or small-sized enterprise.