Amid the digital explosion that we are currently experiencing, more and more organisations are backing up their data by means of online backup. According to a global study carried out by Thales and the Ponemon Institute, 50% of enterprises operate sensitive data in the cloud.
Four-thousand businesses from around the world took part in the survey, titled “Encryption in the Cloud”. As more and more businesses start utilising the cloud for various IT services, the interest shown by cyber criminals will also grow, therefore encryption of customers’ data becomes essential to protecting electronic property.
Transferring one’s data to the cloud can be an intimidating prospect and can often feel like one is surrendering control of sensitive data by relying solely on a cloud provider to keep that data safe. Furthermore, according to the study, 39% of companies feel that cloud adoption has decreased their companies’ security posture. There is, however, no need to feel like this: these feelings can be eliminated by closely analysing the level of encryption which is offered by a cloud provider, to find the best fit solution for you and your business. Astonishingly, the survey showed that almost two thirds of respondents do not know what cloud providers are actually doing in order to protect their sensitive or confidential data. This serves to emphasise the need for a thorough examination into and understanding of cloud computing and data protection options by every enterprise.
Richard Moulds, Vice President of Thales Security, emphasises the importance of correctly employing encryption: “Staying in control of sensitive or confidential data is paramount for most companies today. For any organization that is still weighing the advantages of using cloud computing with the potential security risks of doing so, it is important to know that encryption is one of the most valuable tools for protecting data. However, just as with any type of encryption, it only delivers meaningful value if deployed correctly and with encryption keys that are managed appropriately.”
Three things to consider when implementing encryption into your business are:
1. The level of encryption
Different cloud providers offer different levels of encryption. These include AES, FIPS, DES and Blowfish. Ultimately, higher-level encryption reduces the likelihood of an attack by hackers and malicious users if they attempt to infiltrate a business. Hence encryption can go a long way towards making the cloud more secure for businesses using the cloud to store their data.
One thing that is important to take into account, nonetheless, is that the level of encryption that an organisation deploys, reflects the importance of the data being protected and that it has the best possible level of security.
2. Where encryption is applied
Data encryption can take place before the data is transferred to the cloud provider or once it reaches the cloud environment. Ideally, encryption of data should occur at source, in transit and at rest.
Since encryption conditions vary by technology, product and implementation, there is no general rule. Therefore it is up to the customer to ensure that the provider can securely hold their data, and not just settle for the cheapest option, which may have inadequate encryption methods.
3. Encryption key management
Underpinning any encryption strategy is the management of the encryption keys. Any strong encryption strategy can be completely undone by poor encryption key management which can result in data loss.
Management incorporates several key aspects:
- Who handles the key, i.e. customer or provider?
- How is a key protected (whether it is protected by the customer or provider)?
- What happens in the case of a key being lost (can data be retrieved by the customer, and can it be accessed by non-authorised persons)?
Each technology and product handles this differently and is therefore a key aspect to be looked at by IT managers when choosing a backup solution.
The importance of correct key management cannot therefore be underestimated. The loss of an encryption key could lead to an unauthorized person decrypting the data, or the inability for authorized people to decrypt the data. In either case, this could lead to severe disruption. In consideration of this, it is important to pay close attention to the way your cloud provider distributes, uses, recovers and secures you encryption keys when analysing your encryption options.
The research carried out by Thales and the Ponemon Institute has been undoubtedly very enlightening with regard to the implementation of encryption in the cloud. Furthermore it has raised awareness for businesses to choose wisely when it comes to this implementation. One thing is for sure, encryption is one of the most valuable tools for securing data as long as it is utilised effectively.