What Challenges is the Data Encryption Facing at Rest in the Cloud?
In my previous blog, I’ve mentioned one of the challenges — data availability at rest in the cloud. In this blog, I am going to explore more challenges that data encryption is facing. Every day, 2.5 quintillion bytes of data are created. This data basically includes everything and information from all around the world, and it is stored at rest in the cloud. Security is the most efficient way to keep data safe, in particular, data encryption. However, data encryption is not as easy as just clicking the button, which involves many complicated processes. CSA (2012) has come up big data top ten challenges as follows:
(1) Secure computations in distributed programming frameworks. (2) Security best practices for non-relational data stores. (3) Secure data storage and transitions logs. (4) End-point input validation / filtering. (5) Real-time security / compliance monitoring. (6) Scalable and composable privacy-preserving data mining and analytics. (7) Cryptographically enforced access control and secure communication. (8) Granular access control. (9) Granular audits. (10) Data provenance.
However, not all of these top ten challenges are related to the data encryption. So I will combine some points and make additional arguments below.
The differences of cloud platform make data encryption complicated
As known, cloud platform has three models that are Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Each platform performs different tasks, and each of them offers its best solution to secure massive amounts of data at rest. This means that different platform has its own encryption approach, as well as different company generates its own protection for the data. As a result, the cloud service provider will not be able to maintain different varieties of data encryption.
Different countries or locations have their own compliance regulations
Cloud platforms are always in a place where they are far from the customers or across jurisdictional territories, which makes the data encryption at rest not always as straightforward as one might hope (Winder, 2010). For example, if an organization in one country is bound by regulatory compliance, and its data is encrypted and stored internationally, other compliance regulations in different country may require to assess the data. On the one hand, cloud service provider has to protect the data for its customer. On the other hand, it has to answer the question or comply the regulations. Thus, cloud service provider may find it difficult to handle the situation.
Multiple architectural approaches for encryption
Cloud Standards Customer Council (2013) indicated that there are many architectural approaches for encryption in cloud computing, such as storage device level, agent based, file system based and application level. Each approach has its own characteristics relating to performance and the handling of encryption keys. In addition, different encryption algorithms will be used differently during the process. Therefore, it is difficult to make communication among the architectural approaches.
The complexity of encryption key management
Key management is the most important and complex issue of any security system dealing with encryption of data (CSA, 2012). It involves two parts that are cryptographic security and key lifecycle management policy. Cryptographic security for encryption of data should be generated in a secure way, and the generated keys should never be transmitted in the clear and exposed way. Also, keys should be separated from the cloud service providers hosting the data. This is the greatest protection against both an attacker from a privileged user of the provider and an external service provider. Ideally, company should maintain control of the encryption keys, however, this may make the decryption process unavailable. As a result, it will increase the challenges for data availability. Key lifecycle management policy suggests that key(s) should be revoked when it is no longer needed. For instance, when an employee leaves the company or changes his / her job duty, key(s) should be withdrawn or reviewed accordingly from him / her.
Lawton (2015) argued that another useful way is key rotation and destruction, however, this also becomes more complex when company is managing its own keys. For example, a third-party proxy provider is able to set up a protection layer to keep the keys away from the encrypted data at cloud service provider, but it will make the protection layer complicated too. Eventually, it will just increase the cost for the company.
The responsibility becomes the challenge
It’s believed that the stakeholders of cloud computing are pushing away the responsibility for data encryption. This is because the data encryption has so many challenges nowadays as I’ve illustrated above. Thales e-Security & Ponemon Institute (2012) conducted a very interesting research on 4,140 business and IT managers in the US, UK, Germany, France, Australia, Japan and Brazil. One of the purposes of this research is to examine who is the most responsible for protecting data at rest in the cloud. Diagram-1 shows the result below for 4 different categories.
It indicates that the cloud service provider should be the most responsible for protecting data based on 44% of respondents’ reviews, followed by the cloud consumer with 30%. Only 24% of respondents prefer the responsibility that is shared between cloud service provider and cloud consumer. It interprets that if the one who takes the responsibility, either cloud provider or cloud consumer will need to overcome all the challenges of data encryption. In this sense, it may increase the potential cost for each party, as well as build up a complex system that is too difficult to maintain.
In closing, this blog is introducing the challenges of data encryption. Technically, it is summarized three challenges are the platform challenges, the architectural approach challenges and the key management challenges for data encryption, whereas the challenges of responsibility are to overcome all the mentioned challenges. As a result, only 9.4% of cloud service providers encrypt data once it is stored at rest in the cloud (Coles, 2015). Thus, big data at rest is less secured than other forms, such as data transmission, data in-use. Either cloud service provider or cloud customer needs to carefully consider the further action and improvement for their own data security in the cloud.
References:
Cloud Security Alliance (CSA), (2012). Top ten big data security and privacy challenges. Retrieved from https://www.isaca.org/Groups/Professional-English/big-data/GroupDocuments/Big_Data_Top_Ten_v1.pdf
Cloud Standards Customer Council, (2013). Cloud security standards: what to expect & what to negotiate. Retrieved from http://www.cloud-council.org/deliverables/CSCC-Cloud-Security-Standards-What-to-Expect-and-What-to-Negotiate.pdf
Coles, C. (2015, July. 16). Only 9.4% of cloud providers are encrypting data at rest. Retrieved from https://www.skyhighnetworks.com/cloud-security-blog/only-9-4-of-cloud-providers-are-encrypting-data-at-rest/ Lawton, S. (2015, April. 30). Cloud encryption: using data encryption in the cloud. Retrieved from http://www.tomsitpro.com/articles/cloud-data-encryption,2-913.html
Thales e-Security, & Ponemon Institute. (2012). Encryption in the cloud: who is responsible for data protection in the cloud? Retrieved from http://www.ponemon.org/local/upload/file/Encryption_in_the_Cloud%20FINAL_6_2.pdf
Winder, D. (2010, December). Cloud computing and security: SLA compliance and cloud encryption. Retrieved from http://www.computerweekly.com/tip/Cloud-computing-and-security-SLA-compliance-and-cloud-encryption
