Corporations Must Step Up to the Plate to Enhance the Security of Cloud Computing

Posted on by Robert Ackerman

Now that we’ve passed the midpoint in 2020, one thing in the cybersecurity world has become crystal clear: The need for better security within public clouds must be addressed by enterprises once and for all, and that entails cryptography.

No question, enterprises large and small have realized the benefits of rapidly deployable, reasonably priced and extremely scalable public computing infrastructure. According to Forbes, the global cloud computing market will reach $411 billion this year.

But what about the security? Is it up to snuff?

Not really, even though some public cloud purveyors offer some encryption as an option and sometimes by default. This step is hardly foolproof, however, and that should come as no surprise. After all, data in the cloud is stored with a third-party provider and accessed over the internet. This means visibility and control over that data—including its security—is limited.

Fact is, cloud service providers treat cloud security risks as a shared responsibility. The good news is that some cloud companies allow clients to encrypt their data before sending it to the cloud, and it’s becoming increasingly clear that this—or possibly the additional option of adopting a few other proven, state-of-the-art fixes for cloud security—is the preferred route for truly security-conscious enterprises.

That enhanced data encryption in the cloud makes sense began circulating roughly two-and-a-half years ago, when technology and cloud giant Accenture confirmed that it inadvertently left a gigantic store of private data access across four unsecured cloud servers. This exposed highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers.

Since then, misconfigured cloud settings have caused multiple incidents of data exposures in the Amazon Web Services cloud. In addition, a misconfiguration error in Microsoft’s Azure cloud exposed 250 million technical support accounts. Meanwhile, MVISION Cloud, a unit of McAfee, analyzed the encryption controls offered by more than 12,000 providers and found yet more shortcomings. While 82 percent of cloud service providers encrypt data in transit between the user and the cloud service, not even 10 percent of cloud providers encrypt data once it’s stored, MVISION found.

According to CloudPassage, a software-as-a-service purveyor that provides security for private, public and hybrid clouds, one of the worst mistakes made by public cloud companies is having easily hacked administrative credentials—essentially the keys to the kingdom. As it turns out, attackers can execute a breach with a badly configured set of privileged credentials—a common occurrence, unfortunately, when a cloud company cuts corners in a rush to market.

Other mistakes among public crowd companies include exposed data assets, weak network access control and poor event logging, which impedes efforts to detect, contain and analyze compromises in the cloud.

On the bright side, there are companies today that help enterprises adopt cloud encryption. One—born out of research done at MIT—is cybersecurity company PreVeil, whose end-to-end encryption could redefine cloud-based cybersecurity in a way that doesn’t interfere with workflows while still enabling popular cloud-based machine-learning applications.

Another company with a different approach to the same end goal is Zscaler, which offers a Secure Web Gateway in the cloud via software-as-a service. No hardware is required. Zscaler decentralizes cybersecurity protection, allowing data to flow back and forth from a public cloud rather than redirecting it to clients’ own physical data centers.

Still another form of cryptography enhances the breadth of the science by offering fresh analytical capabilities as well as security – homomorphic encryption (HE). HE is attracting more attention from select technology companies such as IBM Microsoft and Google and some startups, and slowly growing. Among HE startups is Enveil, which the World Economic Forum has named one of its 100 technology pioneers for its work in privacy-enhancing technology. HE makes it possible to analyze or manipulate encrypted data without revealing the data to anyone, offering huge potential in areas with sensitive personal data such as in financial services or healthcare – areas in which the privacy of a person is paramount.

The biggest barrier to widespread adoption of HE is that it is still very slow and so not yet practical for many applications. Nonetheless, company researchers are working diligently to speed up the process by decreasing the required computational overhead.

Microsoft, for example, has created SEAL, a set of encryption libraries that allow computations to be performed directly on encrypted data. SEAL is partnering with companies to build end-to-end encrypted data storage and computation services. Google—another tech giant that has moved into the field—last year unveiled an open-source cryptographic tool similarly focused on analyzing data in its encrypted form with only the insights derived from the analysis visible, not the underlying data itself.

An even more futuristic development that cryptography-minded folks should be aware of—although in this case, in a blatantly negative sense—is quantum computing, based on the principles of quantum physics.

At least a decade away, ultra-fast quantum computers could perform calculations exponentially faster than classic computers—in the wrong hands potentially enabling the destruction of the encryption protecting their data. Fortunately, there is also some good news on this front. The National Institute of Standards and Technology is already pushing researchers to analyze potential problems in this “post-quantum” era. Meanwhile, IBM has already successfully demonstrated a quantum-proof encryption method it developed.

For now, here are six security tips for companies moving to public or even multi-cloud environments and concerned about cryptography and related security disciplines.

+ Get the basics right. Establish a strategy for multi-cloud encryption and the management of cryptography keys before expanding to more advanced crypto technologies.

+ Leverage encryption as part of your broader IT security efforts. Companies that don’t have effective data classification and/or a prioritization program in place tend to struggle with data encryption. Data classification policies and tools facilitate the separation of valuable information that may be targeted from less valuable information.

+ Build in crypto agility. This refers to the capacity for an information security system to adopt an alternative to the original encryption method without significant change to system infrastructure. Be ready to replace or retire your deployed cryptography as needed.

+ Ensure that only authorized users can access data. This is critical to prevent tampering by anyone inside or outside the organization. Audit access controls regularly to ensure their validity.

+ Develop robust plans for business continuity and disaster recovery of crypto keys. Inventory keys and cryptographic libraries so you can recover your data alongside your protection mechanisms.

+ Make sure your cryptography is integrated into the DevSecOps world. Ensure that DevOps teams choose crypto libraries that follow secure coding practices.

In the final analysis, encryption is tough stuff, but extremely important in the world of security. Companies that embrace it and incorporate it properly are taking an additional big step to protect their data and their reputation in a world inundated by embarrassing, hurtful and costly cyber-breaches.

Now that cloud computing has introduced encryption widely, security-minded companies are under growing pressure to keep the ball rolling and help move on to next steps.

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Cloud Security

cloud security cryptography

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs