How to Fail Safe Your Data in the Cloud or When It’s Shared with 3rd Parties

Tuesday, September 12, 2017

Min-Hank Ho


Experienced engineers know to “fail safe” the systems they design. This basic principle merely says that a system remains in a safe state in the event of any failure. For data security systems, this means that the sensitive data should remain inaccessible if anything goes wrong with the system. The simplest way of accomplishing this is data encryption.

Unfortunately, enterprises often overlook this critical principle when securing their data, even when the data is stored in the cloud or shared with 3rdparty service providers. In these scenarios, the scope of potential failures increase as enterprises lose control and visibility over their data. Take Verizon as an example. They shared customer data with NICE Systems for the purpose of customer analytics. That data included customer information in unprotected form. As a result, when NICE accidentally put the information in a misconfigured S3 bucket in the Amazon cloud, that information was available for the whole world to see.

What happened to Verizon is just a trivial example of how security systems could fail with an honest mistake. Any CISO will tell you that their IT systems are constantly being attacked every day and that their employees are regularly receiving phishing emails. These events represent efforts by malicious parties to actively create failure in enterprise security systems, and the reality is that they only need to succeed once. The question, then, is what those hackers or rogue insiders see when they have circumvented the firewalls, evaded the monitoring, and bypassed access controls. Do they see valuable data ready for the taking, or are they confronted with an encrypted blob that encourages them to give up and seek other targets?

Given the fundamental role encryption can have in securing data, the use of data encryption is still surprisingly low. Nearly every data breach disclosure has indicated that the data was not encrypted. Of course, this may be due to the fact that many regulations do not require a disclosure when the data is encrypted. Despite this safe harbor, however, there’s still breaches disclosed weekly and hundreds of millions of records lost every year. Clearly, many are still not getting the message.

The reasons given for not using encryption are many: encryption is too complex, its overhead is too high, key management is tricky. Furthermore, for cloud and 3rdparty use cases, traditional data-at-rest encryption appears more for meeting bare minimum compliance requirements rather than securing data. Fortunately, encryption solutions have made great strides. In addition to traditional storage and database encryption, application-level encryption options are more readily available and can protect data at a columnar granularity. Encrypting at the application level allows enterprises to maintain control and visibility of sensitive data values even if data is uploaded to the cloud or shared with 3rdparties.

Modern application encryption solutions reduce the application development effort by taking care of key management, monitoring, and reporting. The best solutions eliminate the need for application code changes and make encryption an operational exercise rather than create new development work. By making data security part of the operational process, enterprise can create a uniform agile encryption strategy that can quickly adapt to new security and compliance requirements while focusing their application development team on their core business requirements.

Whether ephemerally or permanently, data will be shared with 3rd parties and/or stored in the cloud. It behooves enterprises to protect that data with application encryption to ensure that there is a last line of defense against any failure in the data security system.

About the author: Min-Hank Ho has been developing enterprise security solutions for over 16 years and currently leads engineering for Baffle, Inc. Prior to joining Baffle, he led the development of Oracle Advanced Security and Oracle Key Vault, widely used data security products for enterprises with Oracle databases.

Possibly Related Articles:
data security cloud storage data encryption
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.