Securing Cloud Data Part I

2 Mins read

You must have heard the following cloud encryption and key management buzz words:

  • BYOK – Bring Your Own Key
  • BYOV – Bring Your Own Vault
  • BYOE – Bring Your Own Encryption
  • BYOH – Bring Your Own HSM

Do we trust the cloud provider to manage encryption and key management? One of the important aspects of cloud security training is encryption and key management. The important challenges for key management solutions are compliance, API support, access control, cost, life cycle management, governance, audit, application integration, etc. Data security is very critical for an organization, and the number of data breaches and their impact keeps growing:


What are the top reasons that cause data breaches?

  • Vulnerabilities
  • Permissions or unauthorized access
  • Misconfigurations
  • Encryption
  • Insider Threats
  • Malware
  • Weak credentials
  • User errors or negligence

The cloud security training in data security contests includes data-at-rest encryption to protect confidentiality, data in transit encryption to protect the integrity, and high availability clusters and failover for availability. The encryption consideration includes data classification, encryption policy, regulatory and compliance requirements, high availability, application integration, support, and key life cycle management. Encryption types for data-at-rest include the following:

  • Full Disk Encryption (FDE) for endpoint protection
  • Full Disk Encryption with Pre-Boot Authentication (FDE w/ PBA) for endpoint protection
  • Hardware Security Module (HSM) for key management lifecycle protection
  • Encrypting File System (EFS) for storage protection
  • Virtual Encryption for storage protection
  • File and Folder Encryption (FFE) for unstructured data protection
  • Database Encryption for structured data protection

Encryption types for data-in-motion include (but are not limited to) the following:

  • Virtual Private Network (VPN) for remote access
  • Wi-Fi Protected Access (WPA/WPA2) for wireless access 
  • Secured Sockets Layer (SSL) for Web browser to server communications
  • Secure Shell (SSH) for secure remote systems administration

The most common method of protecting data in motion is the use of a secure sockets layer virtual private network (SSL VPN). Technologies such as SSL VPN are critical in the effort to protect against man-in-the-middle attacks and packet sniffers.

The major cloud corporations provide the following encryption methods:

  • Server-Side Encryption,
  • Client-Side Encryption,
  • Symmetric Key Encryption
  • Asymmetric Key Encryption

The major cloud corporation provide the following key management solutions:

  • Customer Stored and Managed
  • Provider Stored and Customer Managed
  • Provider Stored and Customer Managed (using KMS)
  • Cloud Provider Stored and Managed

The other key management solutions include OWN HSM Solution and Software-Based Key Management. Corporations need to decide in advance the encryption and key management requirement and ensure could provider supports the requirement.

RELATED POST: Securing Cloud Data – AWS and Azure Security Part II

Securing Cloud Data – Cloud Encryption Considerations Part III

Related posts

General Data Protection Regulation GDPR Part II

3 Mins read
The article below is important for every small business including the Sales and Marketing team who generate leads and close the deals….

Disaster Recovery Certification & Business Continuity

1 Mins read
Business Continuity Planning is the way an organization can prepare for and aid in Disaster Recovery Certification (DR). It is an arrangement…

Leave a Reply

Your email address will not be published. Required fields are marked *