How effective encryption achieves data security and functionality in the cloud

By Anurag Kahol, co-founder and CTO, Bitglass

Credit: ID 139764679 © Awargula |

While the growing popularity of public cloud applications has fundamentally changed the way in which many businesses operate, it has also created a number of previously unseen data security and compliance issues.

This has happened because many of the most popular cloud applications provide very little visibility or control over how sensitive data is handled once in the cloud. Instead, users are expected to simply trust that their data is being kept secure.

Many IT departments are overjoyed with this approach because it takes a significant amount of stress out of operationalising business applications.

However, for security teams it has the opposite effect. Without controlimage desc for 3 and visibility over cloud apps,image desc for 4 it is difficult to ensure that corporate data is truly secure. This has led security teams to focus on implementing encryption techniques to attempt to shore up the protection of cloudimage desc for 6 data.

The primary driver for cloud encryption is the need to ensure that, if intellectual property, trade secrets, or regulated data such as customer payment card information is lost in a breach, it cannot be viewed.

For others, data residency concerns or policies that require control of encryption keys lead them to encryption. In apps likeimage desc for 7 Salesforce,image desc for 8 this data exists as structured data – in file-sharing apps such as Box, itimage desc for 9 is unstructured. In both cases, the most commonly used tool for encryption is a cloud access security broker (CASB).

Encrypting cloud data can be tricky

CASBs mediate connections between cloud apps and the outside world via a combination of proxies and API connectors to applications. In doing so, they create a focal point of visibility and control for cloud applications in use, with controls taking the form of dataimage desc for 10 loss prevention, contextual access control, and, of course, encryption of cloud data at rest.

Unfortunately, usingimage desc for 11 a CASB for encryption has its challenges. Inimage desc for 12 order to preserveimage desc for 13 application functionality after data is encrypted, someimage desc for 14 CASBs actually reduce the strength of the encryption.

When data is encrypted, the application is unable to read the encrypted data and loses the ability to do anything with it. Theimage desc for 15 search function is perhaps the best example of this. If aimage desc for 16customer file is encrypted and a sales person attempts toimage desc for 17 search for it, the application would not be able to read the file and the search function would beimage desc for 18 broken.

Reducing the encryption strength allows a CASB vendor to ‘crack’ its own encryption in order to allow critical functionality like search.

These functionality issues can seriously impede the productivity benefits of adopting cloud applications in the first place. As such, some CASBs ‘solve’ the issues byimage desc for 19 limiting the strength of the cryptographic algorithm used.  However, doing this severely impairs the overall effectiveness of the encryption, making data much more vulnerable.image desc for 20 Thisimage desc for 21 hasimage desc for 22 left many businesses with a difficult trade-off between lost functionality and sub-optimal security,image desc for 23 neither option being particularly appealing.

Resolving the security and functionality trade-off

The latest development in cloud encryption is one that takes a ‘split index’ approach to searchingimage desc for 24 cloud-based data, which gives businesses the best of both worlds.

When first deployed, API connections are used to analyse cloudimage desc for 25 applications in use, identify sensitive data at rest, and let the business decideimage desc for 26 exactly what it wants to encrypt. Theimage desc for 27CASB will then replace all sensitive data with copies thatimage desc for 28 have been encrypted. The business retains control over the encryption keys in this scenario.

The encrypted data can then be stored in the cloud app or on premises. In the latter case, the only thing stored in the cloud application is an encrypted pointer to where the data lies in the local data store.

The split indeximage desc for 29 approach preserves search by moving the search functionality from the app to the CASB. As data is encrypted, an encrypted local search index is generated onimage desc for 30premises, with pointers to the encrypted data associated with the relevant keywords in the index.

When a user searches for data, the search query is executed against this local index, returning all of the associated pointers to the CASB. It then searches for those pointers and retrieves the encrypted files or records, decrypting the data for the user on the fly.

From there, sensitive data is divulged on a need-to-know basis. Because it is encrypted in the app, it’s not readable by prying eyes such as the rogue cloud vendor employee or the occasional over-reaching government entity.

Even within theimage desc for 31 business, access is provided by policy,image desc for 32 giving the security team complete control over who can access what and when. Using cloud encryption in such a way also allows an organisation to get ahead of government regulations.

For many businesses, data security headaches are causing security teams to resent publicimage desc for 33 cloud applications. Cloud encryption offers a solution, but businesses shouldn’t have to make a choice between appimage desc for 34 functionality and data security.image desc for 35

The splitimage desc for 36 index approach to encryption will allow businesses to enjoy all the benefits of public cloud applications, while giving security teams full control and visibility of the data, ensuring it remains secure at all times.

Tags cloud applicationsBitglasscompliance issues

Show Comments