As more and more firms are moving sensitive data into cloud infrastructure, there are questions about the right type of encryption solution. Some firms are looking for encryption solutions from a compliance standpoint while others are looking for a general security control to protect sensitive data.
Like any other technology, no single solution fits all scenarios. A solution that works well in an IaaS (Infrastructure as a Service) cloud may not work well in SaaS (Software as a Service) cloud environment. Similarly there are many considerations related to transparency of solution and ease of management. There are also issues related to who owns, manages, and has access to encryption keys. This post is to provide a high level overview of encryption options and categories of available solutions in different scenarios. I will dig deeper into specific options in a follow up blog post.
Options for Encrypting Data
There are multiple options for encrypting data in the cloud. Each option mitigates risk in specific use cases and implements some trade-offs. At a high level, these options are as follows:
- Full disk encryption option is available for customers with full access to the operating system.
- Filesystem encryption is achieved either using native operating system or by installing an agent to enforce encryption policy. These solutions also provide granular level access controls for different file types.
- Database encryption (table or field level) can be achieved in many ways in the cloud. Solutions are available from major database vendors as well as third parties. Encryption gateways (described next) can also be used for database encryption. Third party solutions work by intercepting JDBS/ODBC or other types of database calls or by implementing stored procedures.
- Encryption gateway based solutions are available from multiple vendors for cloud environment. An encryption gateway is placed between the cloud environment and private network/data centers to encrypt/decrypt data in real time.
- Hypervisor based encryption solution enable IaaS customers to run another virtualization layer to implement encryption at hypervisor level. From a functionality perspective, this is similar to full disk encryption.
- Data Backup - Organizations using cloud services as data backup can use encrypted backup solutions. These solutions are available in the form of backup software as well as encryption gateways.
Management of Encryption Keys
Encryption key management includes generation, storage, use, and ultimately destruction of encryption keys when no longer needed. Many cloud customers are wary of the cloud provider having access to encryption keys. Key management also becomes crucial in hybrid cloud scenarios where applications access data in private and public cloud using same encryption keys.
Transparency
Encryption is a complicated business. For an effective and easy-to-use encryption, it has to be transparent to end users and, if possible, to the applications. Adoption to encryption solution becomes challenging if it needs modification to applications or relies on end-user training. All solution categories listed above can be implemented in a transparent fashion in the cloud. However, the implementers must understand the solution and be able to manage encryption keys.
Encryption Solution Selection
Depending upon cloud service model (IaaS, PaaS, SaaS), customers can select a specific type of encryption solution as described below.
- IaaS Cloud – IaaS provides the most flexibility in selecting an encryption solution. Full disk encryption, filesystem (agent-based and agent-less) level encryption, hypervisor, and database encryption solution can be used depending upon specific situations.
- PaaS Cloud – Native database encryption as well as row/column level encryption solutions may be appropriate.
- SaaS Cloud – The encryption gateway solutions are more appropriate in SaaS cloud. In SaaS cloud, customers don’t have access to underlying infrastructure to implement any other type of encryption easily. Typical scenarios where gateway solutions are very useful are encrypting data in SaaS providers such as Salesforce CRM, online storage, online applications such as Microsoft Office 360, Gmail, and so on.
Encryption as a Service (EaaS)
Some vendors provide encryption solutions as a service, just like other cloud technologies. These services are useful for small to medium size organizations where it is difficult to hire a full time encryption expert for the management of cloud encryption solution.
I will explore some of these solutions in detail in follow-up posts on this blog.
