Data protection is a top challenge for everyone, especially since most corporate data is now hosted in the cloud. Besides being accessed by humans, data is also playing an essential role in machine-to-machine communications. Businesses need to safeguard both the integrity and the confidentiality of data in the cloud. While integrity is protected by ensuring the authenticity of machines via machine identities, data confidentiality relies mostly on encryption.
Encryption is a core component of a good data protection strategy, but people sometimes have questions about how to manage encryption in the cloud to meet the growing pace and complexity of modern enterprises. Encryption can seem like a difficult task. People often think they need to master complicated systems to encrypt data—but the cloud can simplify the management of machine identities in the cloud.
The most important thing to remember about encryption in the cloud is that you always own and control your data. This is the core message of the shared responsibility model for cloud security; you control security in the cloud, including encryption of data, applications, systems, and networks. Cloud providers manage security of the cloud but you are responsible for protecting the infrastructure that runs all the services.
Encryption is one of the primary defenses organizations can use to secure their data, intellectual property (IP) and other sensitive information, as well as their customer’s data. It also serves to address privacy and protection standards and regulations.
Benefits of cloud encryption include:
With so many advantages, the question to consider is how can you use encryption to prevent unauthorized access to your data in the cloud?
The primary way to protect access to your data is to control this access. This often means using IAM (Identity and Access Management) to describe which users or roles can access resources. IAM allows you to tightly define the access for each user—whether the entity is human or a machine—and set the conditions in which that access is allowed. This could mean requiring the use of multi-factor authentication.
Encryption allows you to introduce an additional authorization condition before granting access to data. When you use a key management system with other services, you can get further control over access to sensitive data. For example, with data that are encrypted, each IAM user must not only have access to the storage itself, but also have authorization to use the private key that protects the data. This ability to define more granular access control through independent permission on encryption keys enhances the integrity and confidentiality of data in the cloud. This is true also for machines accessing and processing data.
When you configure IAM for your machines to access data, it’s critical that you consider the principle of least privilege. This means you grant only the access necessary for each machine to do their work and no more. This is important when thinking about the difference between using a service or an application and managing that service or app.
Making clear distinctions between who can use resources and who can manage these resources is often referred to as the principle of separation of duties. Consider the circumstance of having a single application with two identities that are associated with it—a machine identity that uses a key to encrypt and decrypt data and a manager identity that can make configuration changes to the key. This prevents the owner of the machine identity from making configuration or permission changes while allowing the manager to make those changes but not use the services to actually access the data or use the encryption keys.
Controlling access to all your cryptographic keys is as important as protecting the access to your data. Controlling and maintaining data encryption keys is an essential part of any data encryption strategy, because, with the encryption keys, a cybercriminal can return encrypted data to its original unencrypted state. An encryption key management system includes generation, exchange, storage, use, destruction and replacement of encryption keys.
Key management involves separating keys from data for increased flexibility and security. You can have multiple keys for the same data, the same key for multiple files, key backup and recovery, and many more choices. Best practice is to use a dedicated external key management system, like a Hardware Security Module (HSM) or other hardware key management appliance, which provides the highest level of physical (or virtual) security.
Encrypt as much as possible. This means encrypting data while it’s in transit and while it’s at rest. Encryption is achieved by using TLS certificates. However, we are all aware of the challenges involved with managing these certificates. One of the challenges related to certificates is regularly rotating and renewing them so they don’t unexpectedly expire and prevent users from using your website or application.
It is therefore important to update the certificate before it expires and automatically deploy the new certificate to the resources associated with it. With so many resources—apps, workloads, devices, APIs and more—requiring a machine identity, manually managing all these certificates and associated keys is a recipe for disaster.
Encryption is a crucial component for ensuring a robust data protection strategy in the cloud. However, encryption needs to be supported by machine identity management processes and policies to safeguard the strength of cryptographic algorithms.
Venafi Trust Protection Platform automates the discovery and continuous monitoring of TLS certificates, both internal and external to your network, anywhere, on-premises or in the cloud. Applying best practices outlined in NIST SP 1800-16, Venafi Trust Protection Platform operationalizes the management of TLS machine identities with automated notifications to application owners and issuing templates to apply security policies to certificates issued from integrated third-party certificate authorities.
Are you ready to protect machine identities in the cloud?