Encryption Consulting has analysed the Global Encryption Trends 2022 Read the detailed report

    Developing a Data Protection Architecture in Cloud

    Encryption Consulting > Data Protection > Developing a Data Protection Architecture in Cloud
    6 Nov 2021

    Developing a Data Protection Architecture in Cloud

    /
    Posted By

    Read time: 3 minutes 42 seconds

    Cloud computing is increasingly being adopted by many organizations today. It offers convenient access to a shared pool of computing resources like infrastructure, platforms, storage, data, software, and applications as a service to its users. Many organizations are moving to the cloud, as it helps in collaboration, improves scalability, availability, flexibility, and productivity, along with reduced operational costs.

    Gartner has predicted that spending on public cloud services will grow by 23.1% in 2021 to a total of $332.3 billion. The COVID-19 pandemic and shift to remote working has forced companies to move their workloads from on-premises to the cloud. Apart from this, many emerging technologies such as containerization, edge computing, and analytics are driving the additional growth of cloud computing.

    Cloud computing provides multiple advantages, but there are still many security issues that are of great concern to organizations. Organizations are saving their critical applications and customer’s personal data in the cloud, and securing those applications and data is critical for their business. There have been multiple security incidents in the past few years where companies failed to secure customer’s sensitive data in the cloud. In January 2020, over 250 million Microsoft customer records were exposed online without proper protections. In 2021, a massive data leak exposed LinkedIn profiles of 700 million users. The personal data of the affected users was put up for sale on a dark web forum. The exposed data included Personally Identifiable Information (PII) of users such as Full Names, email addresses, home addresses, phone numbers etc.

    Along with the organizations, the focus of hackers has also shifted from on-premises data to cloud data. According to a survey, almost every organization has experienced a cloud data breach in the past 18 months. Gartner has stated in its cloud security assessment report that by 2025 99% of the cloud security failures will be due to the security issues on the customer’s side rather than the cloud provider side.

    In the current scenario, if businesses want to expand their cloud usage, they need to protect the sensitive data in the cloud and strengthen the overall cloud data security. If companies want to benefit from cloud computing, alongside securing customer’s data and trust, they need to develop a secure architecture for data protection in the cloud.
    Encryption Assessment

    Organizations’ Concerns for cloud data security

    When an organization moves its sensitive data to the cloud, it has many concerns and questions related to the storage and protection of data in the cloud. Some of these concerns are:
    Does the cloud provider have sufficient security capabilities and supported technologies?
    Is the cloud provider adhering to the needed compliance regulations and specifications?
    What are the security protocols being used by the cloud provider?
    How the cloud provider is storing data?
    Is the cloud provider saving the sensitive data on the same physical host with other tenants?
    Is the cloud provider ensuring the physical security of the servers storing the data?
    Does the cloud provider have access to the organization’s data?
    Does the cloud provider protect the data at rest as well as in-transit?
    What are the different encryption technologies the cloud provider is using?
    Does the cloud provider have access to the encrypted data?
    How the encryption keys are stored and protected?
    Does the cloud provider have access to the encryption keys?
    How the encryption keys are refreshed and rotated?
    Does the cloud provider follow breach notifications as per company’s policies and standards?
    How to manage data across multi-cloud environments?
    How to protect data in multi-cloud environment?
    How to manage keys in multi-cloud environment?

    Developing Architecture for Data Protection

    Cloud customers need to take control of securing their sensitive data in the cloud rather than relying only on the cloud provider to protect their data. Organizations should ensure that the cloud data protection architecture satisfies the below recommendations:
    1. Sensitive data is protected at rest, in transit and in use.
    2. Sensitive data should always be encrypted at the organization side before it is transmitted to the cloud for storage.
    3. The encryption keys should be controlled by the organization and not the cloud provider.
    Encryption keys are a fundamental component of any cryptographic system, and they should be always protected from unauthorized access. In data encryption, key management is the most difficult part. It becomes even more complex in cloud and multi-cloud environments. Key management refers to the management of encryption keys. It includes key generation, key storage, key rotation, key usage, key access, and key destruction. A key management service allows the customers to manage their own keys that are used to encrypt the data in the cloud. Most of the cloud providers provide Key Management services. Organizations can use cloud-based encryption in which the cloud provider generates and manages the keys that are used to encrypt and decrypt the data. Organization can use Bring Your Own Key (BYOK) in which they generate and manages the encryption keys, but the cloud provider has access to the keys. Organizations can also generate, manage, and store their encryption keys in their own environments and the cloud provider does not have any access to the keys.
    In order to take advantage of the various cloud tools and platforms, organizations need to create a data centric security strategy to protect their sensitive data in the cloud. It is impossible to develop a single data-protection solution for the cloud as it involves multiple aspects. Security of the data needs to be analyzed from multiple aspects and a robust and secure cloud data protection architecture should be created. Organizations need to understand the built-in security provided by the cloud providers and how to use them to our advantage. Most of the cloud providers provide both at rest and in-transit encryption that can be utilized to secure data in the cloud. Strong access controls and password policies must be implemented to secure our data.

    Conclusion

    Encryption Consulting can help you identify and secure your sensitive data in the cloud, understand and utilize the data protection methods provided by the cloud providers, manage your keys in multi-cloud environments, adherence to privacy regulations and compliances, and strengthen your organizations’ cloud data security.

    Subscribe to

    weekly blogs.

    Join our professional community and learn how to protect your organization from external threats!

    Our weekly blogs tackle topics from common code signing mistakes, to building your own PKI.

    About Post Author

    Anuradha is a cybersecurity expert with 15 years of experience in Cybersecurity space. She is currently working as Senior Encryption Consultant at Encryption Consulting LLC.

    You may also like these blogs

    Related Posts

    Data Loss Prevention in Cloud Computing - GCP's DLP API
    Google Cloud Platform's Data Encryption Tools - KMS, HSMs, and PKIs
    Google Cloud Security - Data Encryption

    Want to learn from AWS Experts

    We train some of the biggest names in the industry through virtual & Live Classes

    Get Traning Details

    Get a Free Quote for your Cloud Advisory Services

    Request Quote

    Free Downloads for Cloud Advisory Services

    Download our datasheet on Cloud Advisory Services

    ×

    The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys.

    Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security

    The command line signing tool provides a faster method to sign requests in bulk

    Robust access control systems can be integrated with LDAP and customizable workflows to mitigate risks associated with granting wrong access to unauthorized users, allowing them to sign code with malicious certificates

    Support for customized workflows of an “M of N” quorum with multi-tier support of approvers

    Support for InfosSec policies to improve adoption of the solution and enable different business teams to have their own workflow for Code Signing

    Validation of code against UpToDate antivirus definitions for virus and malware before digitally signing it will mitigate risks associated with signing malicious code