Encryption and decryption keys are common practices to protect data and login credentials, and they work together to prevent hackers from accessing data that belongs to users and enterprises. This encrypting and decrypting data via a key method establishes a barrier that blocks hacking attempts. Cloud security providers highlight the security benefit of encrypted data to their cloud services offerings, but a question remains: Is cloud storage safe in its entirety with encryption?
Is Cloud Storage Safe with Encryption?
According to Google, encryption is the “process through which legible data (plaintext) is made illegible (ciphertext) with the goal of ensuring the plaintext is only accessible by parties authorized by the owner of the data.” A key is an algorithm that translates plain text to ciphertext and back to plain text when the user needs to access their data.
Majority of the time the cloud service provider owns, operates, and manages the keys. Some providers allow users to control the decryption keys themselves, which is known as Zero-Knowledge Encryption since the service provider lacks the knowledge to decrypt a user’s files. It’s easier for both the service provider and the user for the service provider to be responsible for the keys. Yet, this presents a pitfall. In the instance of the hacking of a cloud security provider, which exposes all users’ information, users possess no control to lock down their data, making their vulnerable. When electing to encrypt data, the first step a user or enterprise should analyze is the role of key management and decide who owns the responsibility to manage and maintain the decryption keys.
Overall, encrypting data bolsters cloud security and protects users’ data. However, other security practices to use in conjunction with encryption for optimal cloud storage security exists.
Encryption Best Practices
Enterprises may adopt several encryption practices on top of key management. One option is to encrypt the enterprise’s database in its entirety. This prevents the ability to sort and search data as the data is locked. Another option is to only encrypt targeted data fields and not the entire database. A third option is to routinely rotate the decryption key with other keys to obfuscate hackers during their attempt to identify the correct key. A fourth method to heighten data protection is to use authenticated encryption (AE). AE adds an additional step to encryption — implementing an authentication procedure such as a secure Message Authentication Code (MAC), also referred to as a tag. AE validates the authenticity of the sender and of the message integrity. Taking a step further is using authenticated encryption with associated data (AEAD), which “support[s] both data that is to be encrypted and authenticated and data that is not encrypted but that needs to be authenticated.”
Some enterprises choose to copycat the U.S. Federal Government’s security measure. The U.S. Federal Government prescribes to the encryption standard FIPS 140-2. This document outlines four levels of security, with level one being the lowest level of security to level four being the highest level of security. Here’s a brief summary grabbed from the FIPS 140-2 documentation:
Security Level 1 allows the software and firmware components of a cryptographic module to be executed on a general purpose computing system using an unevaluated operating system.
Security Level 2 enhances the physical security mechanisms of a Security Level 1 cryptographic module by adding the requirement for tamper-evidence, which includes the use of tamper-evident coatings or seals or for pick-resistant locks on removable covers or doors of the module.
Security Level 3 requires identity-based authentication mechanisms, enhancing the security provided by the role-based authentication mechanisms specified for Security Level 2.
Security Level 4 provides the highest level of security defined in this standard. At this security level, the physical security mechanisms provide a complete envelope of protection around the cryptographic module with the intent of detecting and responding to all unauthorized attempts at physical access.”
Is Cloud Storage Safe with an Alternative Security Method?
An alternative to encryption is tokenization. Symantec defines tokenization as “the process of randomly generating a substitute value, or token, that is used in place of real data, where the token is not computationally derived in any way, shape, or form from the original data value.” It’s similar and complementary to encryption, but not the same as it does not compute algorithms like encryption. Instead, tokenization relies on a database, called token vault, to access the original data. The token vault stores the relationship between the token and the data. Tokenization may be used in conjunction with encryption depending on an enterprise’s needs and security concerns. Enterprises may choose to encrypt the data that resides in the token vault, adding another level to data security.