Are you up to speed with the security requirements your agency is responsible for when using the cloud? What you may not know may surprise you.
To encourage federal agencies to confidently move their data to the cloud, cloud service providers (CSPs) have built services tailored to government requirements. And it’s working. The Federal Risk Authorization and Management Program (FedRAMP) now has over 100 agencies using more than 150 different approved cloud services.
But while cloud security may be better than the security of on-premises IT infrastructures, CSPs — such as Amazon Web Services, Microsoft Azure and others — are increasingly emphasizing what’s known as a “shared responsibility” model for securing data in the cloud and meeting compliance requirements for information protection.
In short, CSPs take responsibility to secure the infrastructure that runs their cloud services — security of the cloud. Data owners are responsible for protecting the confidentiality, integrity and availability of their data in the cloud.
Securing data properly means that customers own (and can prove that they own) their data, from inception to deletion. That, in turn, means that customers — not their cloud provider — must own their encryption and encryption keys, and maintain proper key management. Cloud customers need cloud-independent security solutions that can be applied across private, hybrid, public and multi-cloud environments.
Making sure that data is safe from unauthorized access requires organizations to consider the physical and logical security of the CSP, but also who is encrypting the data, when and where the data is being encrypted, and who is creating, managing and accessing the encryption keys.
Know the cloud deployment that’s best for you
When getting started in compliance with shared responsibility requirements, your agency needs to evaluate the sensitivity of your data, to be sure of what kind of cloud deployment – private, public, or multi-cloud – best meets your security needs.
Often, a hybrid deployment model is the best option for agencies storing very sensitive or regulated data in the cloud. Hybrid deployments typically use cloud services to store data and on-premises hardware appliances to enhance security. The hybrid model complements the shared responsibility model and helps ensure that data owners have complete control over their data security.
Some CSPs offer their own key management and encryption capabilities that are tailored specifically for their services. But because this type of one-stop solution limits a data owner’s control over their data, these baked-in key management capabilities may not be the most secure way to protect data stored in the cloud.
What’s more, CSP-provided encryption and key management also locks the data owner into that specific CSP. That can prevent you from taking advantage of the portability, cost savings, and data availability features that are possible in a multi-cloud architecture.
Data is often most vulnerable as it moves to and from the cloud. As a data owner, therefore, you should be using network encryption solutions — either virtual or hardware-based — to ensure that data is protected as it is transferred across the network.
To ensure your data is truly secure, you’ll need cloud data encryption combined with strong key management. That combination will allow you to protect sensitive data outside of their control as it is used, transferred, stored, or otherwise shared in the cloud and multi-tenant environments.
The best way to secure data in the cloud is to own both the generation and administration of the keys used to encrypt data. Data owners can utilize a physical key manager or a virtual key manager, combined with a hardware root of trust, to manage the key lifecycle.
This hybrid deployment model allows data owners to have complete control over their data and encryption keys. If there is a data breach, the encryption keys will not be exposed and the data will remain secure. Key management is also a central element to implementing National Institute of Standards and Technology (NIST) approved cryptographic erase procedures to securely and permanently delete data for purposes such as data lifetime expiration, cyber-breach countermeasures, or storage media sanitization.
By using on-premises key management to securely generate, store and manage your cryptographic keys, you can ensure that you own and control your keys at all times. For maximum security, you’ll need to look for Federal Information Processing Standards (FIPS) certified hardware root of trust in your key management tools.
Types of encryption
There are several varieties of encryption that any agency should consider:
Virtual machine instance encryption: This approach to encryption provides security and compliance across virtual and cloud-enabled infrastructure, to secure sensitive workloads in the cloud, store confidential data and comply with industry regulations in controlled industries.
File, folder and share encryption: Cloud-agnostic solutions should work across cloud providers (AWS, Azure, IBM, Google, etc.) to encrypt files, folders and shares. Your solution should be able to secure a range of data types, from SQL and No-SQL databases, to big data implementations (Apache Hadoop), to data from SharePoint, Gemstone, CHEF, Docker, and, of course, Office tools.
Application level encryption: With this approach, you can encrypt application data and keep it secure across its entire lifecycle on-premises or in any cloud – no matter where it is transferred, backed up, or copied
Cloud storage encryption: This approach protects sensitive data stored in the cloud by encrypting data using customers’ own cryptographic keys before it is sent to cloud object storage.
The cloud is helping to make many aspects of managing IT infrastructure easier. Security, however, is still not one of those things. By getting a better understanding of your own requirements and the tools available for data encryption in the cloud, you’ll be well on your way to complying with the “shared responsibilities” that CSPs are asking of their customers.
Bill Becker is vice president of product management, SafeNet Assured Technologies. He can be reached at firstname.lastname@example.org