Understand the importance of proper encryption policies when moving to the cloud.
In today’s technologically-driven marketplace, it seems as if every organization is using or planning to use some type of cloud solution to manage and store critical data. And while this offers a host of advantages, it also presents challenges, chief among them being security. In working with my clients, I always try to convey the importance of safeguarding their information when moving large amounts of critical data online.
We always ensure that company administrators understand the benefits of proper key management to ensure that moving to a cloud provider like Amazon Web Services doesn’t increase exposure to data breaches, or give up control of sensitive information.
To address these concerns, it’s crucial to implement a data-focused security solution within each AWS migration. This solution must place the necessary security protections and controls around the sensitive data that would-be attackers are interested in getting their hands on. In addition, data needs to be safeguarded wherever it resides, which could include snapshots, disaster recovery locations, and backup repositories.
When choosing a security solution, it’s important to find a provider that offers the following encryption tools in their suite of services:
Policies that ensure privileged user access controls to all encrypted data
When used in tandem with Amazon’s Elastic Block Storage (EBS) and Elastic Compute Cloud (EC2), Amazon’s Identity and Access Management (IAM) service focuses on controlling network access to individual instances, but it does not offer access controls for any data that resides within the AWS itself. To prevent unauthorized access to critical data, there should be strong, centrally-managed access policies in place at the file system level that enforce when any data can be decrypted.
By implementing access controls with strong encryption capabilities, companies can create robust user access that enables privileged users to perform updates, system management, and other administrative functions, without giving them direct access to protected database tables or other encrypted files.
Integrated encryption and key management
Using robust, industry-standard algorithms for data encryption is one of the most critical steps in protecting sensitive data. Centralized key management should be simple and seamless, offering deployment options that match an organization’s unique needs. Any solution that is implemented should support the storage of keys within the AWS cloud, or within hybrid cloud offerings like AWS Virtual Private Cloud, where data can reside both in the cloud and locally. Finally, to ensure maximum security, keys must always be stored separately from an organization’s critical data, and never be revealed, even to storage administrators.
The above guidelines represent the absolute baseline for meeting compliance requirements and should be viewed as best practices for protecting critical company data.
Vormetric Encryption solutions on AWS
I often recommend Vormetric’s encryption solution for clients who are migrating critical data to Amazon’s cloud servers. Vormetric Transparent Encryption for AWS delivers all of the features necessary to create strong data protection within the cloud, including:
- Integrated key management and encryption that protects organizational data at the system level within EBS and EC2 instances.
- Strict separation of roles for systems and security management.
- Robust APIs and command line tools that integrate well with other third-party infrastructure solutions.
- A highly scalable structure.
- Security intelligence reporting that enables integration with SIEM tools that support compliance reporting and event analysis.
- Access policies offering privileged user controls that ensure data is decrypted only for authorized processes and users, while still allowing cloud and system admins to perform their duties without having access to sensitive data.
If your organization is moving to the cloud to improve performance and scalability, it’s critically important that you do so methodically and with a laser focus on security. Proper planning will avoid the nightmare scenario that can threaten the existence of entire companies: a monumental data breach that causes your customers to lose faith in you.
