Be in Full Control of Your Cloud Data Encryption with Bring Your Own Encryption (BYOE)

One of the biggest advantages and disadvantages of the cloud is the Shared Responsibility Model for managing cloud security.  Put simply, it spells out the security responsibilities of both the cloud provider and the cloud customer – security of the cloud vs. security in the cloud. The upside is that cloud providers ensure that their physical infrastructure – which includes software, hardware, networking, and facilities – is secure, so the customer doesn’t have to. The downside is the customer still has a significant amount of responsibility to ensure their application infrastructure, networks, and data are secured within the cloud.

To aid customers, cloud providers provide a multitude of security tools and controls to help customers improve their security in the cloud. However, most of these controls have major flaw… they are built upon a central implicit model, which is the notion that system operators (Cloud Admin, DB Admin, Sys Admin, etc.) have full privilege to access and manage the information being processed in order to perform their work. This poses a major problem for customers, especially when considering the risk of a supply-chain attack (the cloud provider is compromised), insider threats (authorized, privileged users abuse their access), and if the customer’s environment is compromised and admin credentials are stolen and misused.

Cloud data encryption controls are a classic example.  All the major cloud services providers offer native at-rest data encryption solutions to help protect their customers’ data against breach.  These services generate the encryption keys, encrypt data, and securely store the keys for the customer.

Why You Can’t Rely on Generic At-Rest Encryption Controls

While native, cloud provider encryption controls may be convenient, they’re all built around the same flawed, central implicit trust model. Once an adversary gets a hold of the appropriate admin credentials, they have unfettered access to your systems and data.

Under this model, the operator of a system or owner of a user account has full access to all data stored on that system or in that account.  This is the model used by full-disk encryption (FDE), transparent disk encryption (TDE), and the majority of modern database and data warehouse solutions as well, which use a single key to encrypt all data on the system.  Once a user authenticates to the system, the key is unlocked, and all data is accessible to them.

In the cloud, the use of generic encryption controls provided by a cloud or Software as a Service (SaaS) provider restrict access to the company’s data to legitimate users and the cloud or SaaS provider.  This model creates several security risks for an organization, including:

• Supply Chain Attacks: With generic cloud data encryption solutions, encryption keys are accessible to the cloud provider.  This creates security risks if the cloud provider’s environment and the systems storing these keys are compromised.
• Compromised Credentials: With an implicit trust security model, administrators have full access to encrypted data.  If the credentials for these accounts are compromised in a breach or other cyberattack, then an attacker can access and decrypt all of an organization’s encrypted data.
• Insider Threat: Insiders within the cloud provider or customer’s organization may have access to the encryption keys used to protect all data in the cloud.  This may allow an insider to gain unauthorized access to data and potentially leak or misuse that data.

Data encryption is an essential component of a cloud security and breach prevention strategy.  However, while generic at-rest encryption solutions are better than nothing, they provide little or no protection against the biggest threats to corporate data security.

Mitigating the Risks of Poor Data Encryption in the Cloud

The generic data encryption solutions offered by cloud services providers do not meet the needs of many organization’s data security policies and regulatory requirements.  Achieving the necessary level of protection requires a bring your own encryption (BYOE) approach.

One approach to more effectively protect your data in the cloud, while enabling you full control of your encryption, is application-layer encryption (ALE), in which data is encrypted at the application level before ever leaving the application and ultimately reaching storage.

This also enables each application to encrypt and decrypt its own data with its own keys, an organization can take advantage of multiple benefits compared to centralized at-rest encryption models, including:

• Granular Access Control: With ALE, applications manage access to their own data.  This reduces the risk and impact of data exposure due to a compromised application or credentials.
• Entity Level Encryption: ALE provides you the ability to use unique encryption keys for specific teams, users, or data sets.
• Immediate Data Encryption: ALE encrypts sensitive data within the application itself.  This ensures that data is protected before being stored or transmitted.
• Full Control Over Encryption Keys: ALE provides applications with control over their own encryption keys.  This eliminates the risk that parties entrusted with keys will abuse or accidentally expose them.
• Defense in Depth: The use of ALE enables an organization to implement defense in depth when protecting their data.  Unlike generic at-rest encryption methods, access to a computer system does not provide access to all of the data that it contains as well.
• Regulatory Compliance: Data protection regulations may require an organization to use a certain level of encryption and manage its own keys. ALE makes this possible even if a cloud provider’s solution does not.

In addition to these benefits, application-layer encryption addresses several prominent threats that companies face, including:

• Supply Chain Attacks: With ALE, the cloud provider no longer has access to the encryption keys used to protect data stored in the cloud.  This eliminates the threat of data exposure if the cloud provider systems are compromised.
• Insider Threats: With ALE, access to data is managed at the application layer, not the user account or infrastructure layer. This limits insiders’ ability to gain unauthorized access to corporate data.
• Multifaceted Ransomware Extortion: Ransomware attacks increasingly incorporate the theft and potential leakage of sensitive data.  Data encrypted at the application layer is much better protected in the event of a breach or compromised credentials.
• Advanced Persistent Threats (APTs): APTs commonly exploit compromised credentials or unpatched vulnerabilities to gain access to cloud-based environments and search for valuable data.  Application-layer encryption limits the data that an attacker would be able to access in this way.

Securing Data in the Cloud

Cloud adoption is growing rapidly, and cloud security is a major concern to many organizations.  Data stored unprotected or inappropriately protected in cloud environments puts organizations at risk of a data breach.

Data encryption is a powerful tool for data security but only if implemented and used correctly.  Bring your own encryption – implemented using application-layer encryption – allows an organization to take control of its own data security in the cloud and eliminate the risks associated with the generic at-rest data encryption solutions offered by cloud providers.

To find out more about how Ubiq can help with your Bring Your Own Encryption needs, visit https://www.ubiqsecurity.com/use-cases/bring-your-own-encryption-keys/