Paranoid Technology All things cybersecurity


How Does Encryption on the Cloud Work?

There are two types of encryption on the cloud; server and client side.

Client side encryption is cumbersome (well security is not about convenience anyway...), it adds multiple steps for storing and viewing data, not to mention the time it takes to encrypt. Initially the service providers did not offer server side encryption, so everybody had their data stored in the clear...  In time with the regulatory requirements the companies that under the gun pushed for server-side (at-rest) encryption for their data and the cloud service providers had to react to this demand, the key criteria in making this happen were:

  1. Customer data should not be in clear text while at rest at the service provider's data stores
  2. The operation should be transparent to the customers allowing them to access their data easily
  3. System should be legally friendly - respond to subpoenas from the government


What does it mean when your cloud service provider tells you that your data is encrypted at their data center? It pretty much means, if a hacker attack occurs your data won't be sitting out in the open.  This is all the same for Google, Amazon S3, SkyDrive and other major cloud service providers. Apple as usual is silent about its cloud offering iCloud, but you can almost bet on it...

Ultimately all the vendors use some sort of master key to implement server-side encryption, using this master key they are able to decrypt data on demand to meet the above criteria - so know what it means when you only rely on server-side encryption.

In some cases the Software as a Service (SaaS) Vendors also use their encryption layer to store your data in the cloud with a similar mechanism - so this means you get two layers of encryption, but this is quite rare (due to system resource and latency impacts)...

What about client side encryption? If you have stringent security requirements and you have no alternative to the cloud, it is a must. Not everything needs to be encrypted, but all your intellectual property that gives you an edge over your competitors fall in this category. My favorite for client side encryption is True Crypt it supports various algorithms and allows you to create encrypted disk volumes - makes it pretty much seamless from a user's perspective.

If you are fully paranoid or have other requirements that off-the-shelf software do not meet, you can write your own encryption library or utilize something like Bouncy Castle.

If you are using fully integrated cloud services such as iCloud you are fully at the mercy of the service provider as currently there is no way of encrypting data before you send it off to the cloud.

I hope this article gave some insight to what to expect from encryption on the cloud. Let me know what you think....

Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

Trackbacks are disabled.