Application of Encryption for Data at Rest and in Motion
Encryption is a key component to protect data at rest in the cloud. Employing appropriate strength encryption is important: Strong encryption is preferable when data at rest has continuing value for an extended time period. If such long-term value encrypted data is obtained by a third party and if they have an extensive period of time to break or crack the encryption, then the reward can be well worth the effort.
There are multiple ways of encrypting data at rest. Following is an outline of various forms of encryption that serve as protection methods for securing data at rest in the cloud.
- Full Disk Encryption of data at the disk level—the operating system, the applications in it, and the data the applications use are all encrypted simply by existing on a disk that is encrypted. This is a brute-force approach to encrypt data since everything is encrypted, but this also entails performance and reliability concerns. If encryption is not done at the drive hardware level, then it can be very taxing on a system in terms of performance. Another consideration is that even minor disk corruption can be fatal as the OS, applications, and data.
- Directory Level (or Filesystem) In this use of encryption, entire data directories are encrypted or decrypted as a container. Access to files requires use of encryption keys. This approach can also be used to segregate data of identical sensitivity or categorization into directories that are individually encrypted with different keys.
- File Level Rather than encrypting an entire hard drive or even a directory, it can be more efficient to encrypt individual files.
- Application Level The application manages encryption and decryption of application-managed data.
Critical to implementing any of these forms of encryption is the need to manage the keys that are used to encrypt and decrypt data. In addition, identifying recovery methods for when encryption keys are lost needs to be considered. When a key is lost or not available, it is important to know what options are available to recover the data for instance, do backups exist?
Also, consider the potential for side channel attacks with encryption. Simply defined, side channel attacks are attacks that target the operating nature (or environment) where the encryption is occurring in contrast to exploiting the encryption mechanisms themselves. In the context of cloud security, side channels may potentially exist by virtue of operating within the same physical infrastructure and using shared resources with other subscribers. The site sidechannelattacks.com has an extensive list of different types of side channel attacks.B
Application of Encryption for Data in Motion
The two goals of securing data in motion are preventing data from being tampered with (integrity) and ensuring that data remains confidential while it is in motion. Other than the sender and the receiver, no other party observing the data should be able to either make sense of the data or alter it. The most common way to protect data in motion is to utilize encryption combined with authentication to create a conduit in which to safely pass data to or from the cloud.
Encryption is used to assure that if there was a breach of communication integrity between the two parties that the data remains confidential. Authentication is used to assure that the parties communicating data are who they say they are. Common means of authentication themselves employ cryptography in various ways. Transferring data via programmatic means, via manual file transfer, or via a browser using HTTPS, TLS, or SSL are the typical security protocols used for this purpose. A PKI is used to authenticate the transaction (trusted root CAs), and encryption algorithms are used to protect the payload.
BThis site was created as a research tool for the Reliable Computing Laboratory at Boston University. For more information, see http://sidechannelattacks.com.