In 2016, 68 million accounts of Dropbox users were compromised. The attacker took advantage of a poorly kept employee password to gain access to emails and passwords from exposed accounts that were created in 2012 and earlier.
The data was available on the dark web for sale until it was picked up by several tech and security publications.
While cloud storage is convenient and gives access to data anywhere, anytime, regardless of the device you’re on, cloud storage security is a matter of grave concern to organizations.
Storing data in the cloud means your confidential files and sensitive data are exposed to new forms of risks. Data stored on the cloud is outside of the limits of many safeguards used to protect sensitive data in your company’s data center.
Therefore, when it comes to cloud storage, organizations have to take additional steps to secure it beyond the basic security measures offered by cloud storage providers like Amazon, Microsoft, and Google.
Cloud Storage Security Is a Shared Responsibility
Both cloud vendors and users share responsibility for cloud storage security. While cloud storage providers protect your data from intrusions and data thefts, enterprises are supposed to supplement those features with added security measures to strengthen cloud data protection and restrict access to sensitive information.
CSPs can do little to protect your sensitive data against unauthorized access if your employees were being reckless. You must therefore educate your staff about the potential risks they may unwillingly expose your organization’s data to.
Cloud storage providers offer data protection solutions to companies. These solutions grant complete visibility and policy-based control over how data can be moved to and from the cloud. The practice ensures only authorized data leaves your organization and only upon approval from a conducting party.
At the end of the day, it is up to the business whether they want to impose these firmer shields around important data on top of what the cloud storage providers offer already.
Nonetheless, it must be stated that another layer of defense can save your data if the provider experiences a security breach.
Choosing a Cloud Storage Security Solution
When choosing a cloud storage security solution, an organization should ensure that it provides continuous monitoring and visibility to all forms of data interactions with the cloud storage. It should provide granular control over movements of files filtered to user-agent and operating system events.
The leading cloud vendors also extend data protection measures to the data stored by the process of encryption. Encrypted data is cryptographically locked to a private key and cannot be decrypted unless this private key is made available.
Importance of Data Encryption
Cloud storage providers ensure not only the integrity and availability of data but also its confidentiality. That is, even in the case of a breach when the attacker has gained access to your credentials, your data would still be encrypted and thus incomprehensible.
That’s right. Data encryption protects the privacy of your stored information by rendering it incomprehensible to anyone lacking access to the “key” to unlock it.
Think of it like this. Encrypted data looks like a long stream of random characters:
Encryption is critical to the privacy of your data, but it’s still not a comprehensive solution to all of your security problems.
The best security practices take a multi-layered approach:
The data must be secured end to end:
- Data encryption is key to user authentication, data integrity, digital signatures, and non-repudiation.
The data must be encrypted in transit and rest:
- Data encryption at transit is the basis to secure communication between two parties.
- Data encryption at rest is all about maintaining the confidentiality of the stored data.
As it can be seen, security is no longer a luxury but a necessity. It is also no longer a concern solely to your Chief information Security Officer (CISO), but rather the accountability of every IT professional.
Now, let’s see how data encryption works with cloud storage providers.
Data Encryption in the Cloud
When you are talking about storing data away from your data centers to cloud storage repositories including Amazon S3, Google Cloud Storage, and Azure Blob Storage, it is imperative to understand they are only accountable for securing their cloud storage infrastructure from intrusion and data thefts.
Major cloud storage vendors employ enterprise-grade security and thus are, virtually, impregnable.
A person disguising as an employee may still gain access to your data, decrypt it, and push it to their server without the vendor raising any flags. To counter this, cloud storage vendors provide tools to restrict access control and monitor data going out of your storage account.
For this article, we’ll restrict the scope to only data-at-rest encryption. Cloud service providers employ TLS for encrypting data in transit. TLS is an open protocol and thus doesn’t vary much from vendor to vendor.
When it comes to data at rest, each cloud storage provider brings-in its cryptographic approach, including encryption techniques, private key management, and ciphers.
All-in-all, there are two sides to encryption: Server-side and Client-side.
Server-Side vs. Client-Side Encryption
With server-side encryption, data isn’t encrypted until transferred to the recipient – in this case – the object storage service. Fortunately, all major cloud vendors offer server-side encryption with some dissimilarities in implementation details, especially in regards to the storage of private keys.
With client-side encryption, data is encrypted at the sender’s end, and before being transferred to the recipient – in this case also the object storage service. Again, all major cloud storage providers allow for client-side encryption with some degrees of variations.
Pros and Cons of Data Encryption in the Cloud
Data encryption is vital in today’s world that is experiencing increasing incidents of cybercrimes.
Data encryption is also crucial from the confidentiality opinion. If your company requires your stored information to be unavailable to anyone outside your organization, then the optimal way would be to protect your data with end-to-end encryption.
Moreover, high-risk data like medical and financial records must be encrypted all the time, being accessible to only authorized people within your enterprise.
Some advantages and drawbacks of data encryption in the cloud are as follows:
Pros of Data Encryption
Improved Data Security
The data is at higher risk while it is being moved from one place to another. And that’s when encryption is necessary the most. Encryption works either at the transport level or rest, thus decreasing the risk of getting attacked by third parties.
Confidentiality
Confidentiality is the chief reason data encryption is used, as it aids to lock privacy and sensitive information while lowering the chances of data theft and fraud.
Reliability
Data encryption guards your valuable data resources against cybercriminals. While the encrypted data is not resistant to cyber frauds and attacks, the data owners can certainly identify any malicious occurrences to their information at any time, which provides them with better odds to take a primary action.
Compliance
Encryption is one of the most secure techniques to store and move the data as it conforms to the rules and regulations imposed by various federal laws such as FIPS, FISMA, HIPAA, or PCI/DSS.
Cons of Data Encryption
While cloud security and data encryption have been confirmed as the most efficient way to protect your valued info, they have their share of limitations:
Cumbersome Data Recovery
Data Encryption is a prodigious way to guard your sensitive information. One of the drawbacks however is that it sometimes becomes harder to claim your stored data due to controlling data access tools.
Security bugs
One chief obstacle to data encryption is that it only provides partial security to the data which is already in transit.
Data transfer charges
Data Encryption can become an expensive matter because it needs highly sophisticated systems to preserve the encrypted data. The systems must also be scalable enough to upgrade which adds to the costs involved.
Whether you want to secure your business data with cloud encryption is solely up to your organization’s discretion. Notwithstanding all the limitations, data encryption in cloud storage is indeed a requirement.
Data Encryption and Public Cloud Vendors
All major cloud players such as Amazon AWS S3, Microsoft Azure Blob Storage, and Google Cloud Storage, employ a common set of symmetric and asymmetric encryption techniques to secure users’ data and provide server and client-side encryption.
When it comes to the common symmetric and asymmetric encryption techniques in modern public cloud storage solutions, AES-256 and RSA respectively are pretty much the standards.
Below is a side-by-side comparison of encryption-at-rest across the three providers’ object storage services. As you may expect, the robustness of the service and the diversity of options are strongly correlated with the age of the cloud provider.
Amazon S3 | Azure Blob Storage | Google Cloud Storage | |
Server-Side Encryption | Yes | Yes | Yes |
Client-Side Encryption | Yes with client encryption provided | Yes with client encryption provided | Allowed but no client encryption provided |
Symmetric Key Encryption | ● AES-256 GCM ● Used for both key encryption and data encryption with SSE-S3, SSE-KMS and Client-Side Encryption (both options) ● Used for data encryption with SSE-C | ● AES-256 ● Used for data encryption with both Server-Side and Client-Side Encryption ● Can be used for key encryption with Client-Side Encryption | ● AES-256 GCM ● Used for both key and data encryption |
Asymmetric Key Encryption | ● RSA ● Can be used for key encryption with Client-Side Encryption (using client-side master key) | ● RSA ● Used for key encryption with Server-Side encryption (both options), and with Client-Side Encryption | Can be used for Client-Side Encryption, but no integration |
Envelope encryption | Used for all options except SSE-C | Used for all options | Yes |
Key Management |
Amazon S3 | Azure Blob Storage | Google Cloud Storage | |
Customer Stored and Managed | Yes for SSE-C and Client-Side Encryption using client-side master key | Yes for Client Side Encryption | ● Yes for Server-Side Encryption with customers-supp lied KEK ● Can be used for Client-Side Encryption but no integration provided |
Cloud Provider Stored and Customer Managed (Using their own KMI) | Yes for SSE-C and Client-Side Encryption using client-side master key (Using CloudHSM) | No | – |
Cloud Provider Stored and Customer Managed (Using cloud key management service) | Yes for SSE-KMS and Client-Side Encryption using KMS-managed CMK | Yes for Server-Side Encryption with customer-managed keys and Client-Side Encryption (Both using Azure Key Vault) | – |
Cloud Provider Stored and Managed | Yes for SSE-S3 | Yes for Server-Side Encryption with service-managed keys | Default encryption method |
Is Cloud Storage For Me? What Are My Options?
If you run a data-centric business with various locations and employees, then most certainly, anywhere and anytime accessibility matters to you more than anything.
In this scenario, storing data in your organization’s on-prem infrastructure is not an ideal option as opposed to storing it in the cloud.
Fortunately, all cloud vendors offer decent options with top-of-the-line security measures built-in. Major CSPs employ industry-standard encryption techniques to secure your data both on the client-side and server-side.
When it comes to data security in cloud storage solutions, breaches and data thefts are often the faults of administrators managing your organization’s storage accounts or untrained IT staff.
With strong permission management, monitoring support, and access control, you can avert those risks by limiting access to sensitive pieces of information in your cloud storage.
Amazon with its S3 storage bucket makes access control with AWS Identity and Access Management (IAM) much easier. With AWS IAM your admin can independently manage user permissions and grant granular permissions to your employees.
Google Cloud IAM and Microsoft Azure IAM extend the same functionality to Azure Blob Storage and Google Cloud Storage, respectively.
Being in the game for a longer time, Amazon’s AWS S3 and IAM tend to be more sophisticated in terms of tweaks available, giving you unparalleled ways to customize the settings best to your organization’s security policy.
However, Microsoft’s Azure Blob Storage is also a wise choice if you’re already subscribed to other Microsoft Enterprise services like Microsoft 365 Enterprise. The level of integration Microsoft offers is still unmatchable by other cloud storage solutions in the market.
Google Cloud Storage is also a viable contender if you are a medium or small-sized enterprise.
But surely, without knowledge, experience and expertise, choosing the right fit for your business might present itself as an overwhelming and challenging task. This is why using the help of cloud experts can significantly alleviate the various stumbling blocks and hurdles on your cloud migration journey.
And that’s what Clouve was build for.
Clouve is a subscription-based online IT Helpdesk Software that provides premium IT outsourcing services with our dedicated team of cloud experts that are ready to resolve your DevOps issues, 24/7.
It works as simply as this:
- You subscribe to an amount of monthly tickets you need
- You then add task requests using the ticket-system into the software
- Our cloud experts or sophisticated AI-driven bots resolve your issues efficiently and effectively, every time.
Sign up today for a 90-day FREE TRIAL, no commitment!