Encryption of cloud data is great – but it’s not a magic bullet

(c)iStock.com/BsWei

The headlong stampede of enterprise data into the cloud has passed by.

A few years ago I might have written it was ‘underway,’ but this would grossly understate the situation.  Data which was once stored on premise has left the building, the twinkling lights on the tin box in your racks are slowly blinking out. Data osmosis is taking place, draining life force from these antiquated shells into vast data-centres run by some of the largest companies on earth.   It is more than a trend.  It is just reality. 

So as a million barn gates are slammed, the new question on everyone’s lips is one of security.   How do we keep that perfectly curated company data safe when prying eyes hidden in a world of VPNs, bulletproof hosting and dark forums are watching?   In this world, encryption is often touted as a saviour.  People have been given hope by a technique shrouded in a complex veil of military nomenclature and supported by brain melting numbers, with billions of possible variations.

I’m not here to criticise encryption.  It brings a level of complexity that is good in many respects as it makes things harder for threat actors. Encrypted data is more secure than unencrypted data, as long as keys are stored separately and updated on a regular basis. Fact. Google agrees, and that is often a good sign. Low frequency access to data at rest will be well served by encryption because access is not required often, and it is hard to do.

This complexity also exposes one of the weaknesses of the approach, however. Encryption is a reflection of the fact that it is expecting to be stolen, a defensive posture. However, one of the main points of having data in the cloud is because it is supposed to be easy to access.  Wherever, whenever, right?

As more and more daily business is done in the cloud we need to enable this, not make it harder. Also, there is the great unmentionable that the vast majority of data breaches come from within the organisation, and it’s not a great stretch to assume that this could happen by grabbing encryption keys, using social engineering.  

For this reason, monitoring and access control needs to be a big part of keeping cloud data safe. Organisations need to know who has accessed what, where from and what they are doing with it.  Actually, the most important thing to know is, are they allowed to do what they are trying to with your cloud data? We need to know more than plain ‘access attempts’; we need to learn about every single person in any given organisation, what their role is and if they are acting within it. 

Encryption is a wall.  It is a very high wall with barbed wire around your data and a very good way of stopping people accessing things.  However, data sitting inert is just a bunch of information stored on a disc.  Data needs to be free, in motion and used by humans, if it is to be given value.  For this reason, we need to enable organisations in an intelligent manner.  Give people the tools to make the most of their data, rather than just locking it in a bunker.