banner

Thales Blog

Unlocking Cloud Security With Encryption

September 30, 2014

If you had to guess at the leading concerns for businesses that operate in the cloud, you’d probably rank security and compliance at the top. Anyone who’s built or managed a cloud knows how complex both can be, from meeting PCI or HIPAA regulations to keeping data out of criminal hands. And as we move further into the age of The Internet of Things and increasing mobility and app-centricity, it’s a safe bet our new security needs will only keep growing.

If there’s one solution that works for both compliance and security, it’s encryption - the gold standard for protecting data. Most IT professionals can agree on that. Yet so many misunderstandings persist around the subject (specifically when and how to use encryption) that many IT teams aren’t getting the full protective benefits that they need.

Let’s clear up some of the encryption confusion. We’ll start with the most basic misconception: the belief that encryption is optional. If you look at most compliance regulations, whether PCI 3.0 standards or HIPAA’s Security Rule, you’ll see that encryption is vital for compliance. It’s also a great insurance policy against breech notification laws. OCR has issued safe harbor guidance for encrypted PHI that allows an organization to avoid notification if encrypted PHI is compromised without the encryption key. Forty seven states have breach notification laws (only Alabama, New Mexico and South Dakota don’t), only two (Wyoming and Indiana) don’t provide a safe harbor for loss of encrypted data as long as the key are not included in the loss. So properly encrypting your data amounts to a “get out of jail free” card when it comes to notification; saving your company not only the costs associated with notification, but also the public embarrassment and loss of confidence that has a much larger impact.

Another big myth: encryption slows down performance. A well-architected solution can easily avoid performance degradation with the right solutions. These include:

  • Deep file system integration
  • Strong multi-threading and queuing capabilities
  • The ability to leverage AES acceleration hardware, like Intel AES-NI capabilities

Another common mistake is adding encryption as a final touch instead of at the beginning, which often means going back in the data life cycle and identifying and encrypting large amounts of information, including backups, snapshots and more.

On that note, it’s important to realize that open source or in-house encryption can be secure. All too often teams are cowed by the idea that encryption is too difficult by them. Chances are your team can easily encrypt data and develop solutions in-house, though it may be challenging to do so without compromising performance and availability. The critical part is architecting clever key management solutions. Think of encryption as a lock, with your keys as the way to open them. Hackers will be hunting down those keys, so your team will need to store and protect them effectively.

One dangerous myth is that full disk encryption offers full security. It really only protects your data if the hardware is physically stolen. But a criminal who’s gotten into your system? The jig is up. As for whether encryption protects data from privileged user access -- a question we hear quite a bit at FireHost -- that depends on a number of factors. Some file system-level solutions and application-layer solutions can foil privileged users. Yet upon booting, FDE and volume-level solutions can’t stop them.

At this point, you might be thinking that there’s a lot to learn about encryption – and you’d be right. That’s why we co-hosted a webinar on “Keys To Better Data Security In The Cloud: Intelligent Encryption” with Vormetric Data Security on August 21. We talked about methods for encrypting data in transit and data at rest, and showed why some techniques aren’t as safe as you might think. We also explored the most cutting-edge techniques that do keep your customers, data and reputation protected. Finally we shared specifics on FireHost’s approach to encryption and how Vormetric Data Security can offer solutions that provide expert encryption guidance while making you the sole custodian of all data access policies and keys.

Remember, encryption is one of those aspects of cloud security that never stops moving – so even if you think you’re on top of your encryption game, we encourage you to come by and find out the latest techniques being developed and used by security experts today. We hope to see you there - until then, stay secure.