The do's and don'ts of safeguarding cloud-based data with encryption

One of the biggest stumbling blocks for companies contemplating entrusting a cloud-computing vendor with their data is the risk of unintended data exposure. A lot of data is sensitive. It might contain employees' financial information, patients' statutorily protected health information, other regulated information or proprietary intellectual property. Quite often, companies feel more control when they keep that sort of data in-house. But the risk that a cloud vendor might not handle your information as securely as you'd like can be mitigated.

One good way to do that is with encryption. An encryption algorithm encodes data, rendering it unreadable to those who don't possess the decoding key. The idea is that, if encrypted data falls into the wrong hands, it will be of little or no use without the encryption key. This can help mitigate concerns related to the data being hacked or even being legitimately accessed by a government, which is a particular concern when the data center where the data is being stored by the cloud vendor is located in a foreign country.

If you're depending on encryption to protect your cloud-based data, you'll need to determine how the cloud vendor facilitates encryption. Questions to ask include the following:

* Does the cloud vendor encrypt your data both at rest and in transit?

* What level of encryption does the cloud vendor employ (128-bit, 256-bit, etc.)?

* Who has access to the encryption key (customer, cloud vendor, third parties, key escrow)?

* What encryption standards have been employed by the cloud vendor? For example, Federal Information Processing Standard (FIPS) 140-2?

*How are encryption keys managed, and where is the encryption key located?

This last question is particularly important because sloppy handling of the key can negate the value of encryption. For example, in December 2011, was hacked by the hacktivist group Anonymous).'s data was encrypted, but those diligent Anonymous folks hacked in again, found and accessed the encryption keys, used them to decrypt the data obtained during the initial hack, and posted that data on the Web for public viewing.

Even when used and configured appropriately, encryption isn't always a silver bullet. As with most risk mitigation strategies, there's a trade-off between costs and benefits. Risk might go down with encryption, but adding encryption typically increases the total cost of using a cloud solution. What's more, adding encryption can result in slowed or diminished performance due to the extra steps introduced into the process. And in reducing one risk, an entirely new one is introduced: If the encryption key is lost, the data can no longer be decrypted and essentially becomes useless, even to the customer.

Meanwhile, cloud vendors themselves are developing and deploying alternative techniques for rendering compromised data useless. Examples include these two:

* Distributed file systems -- Individual files are essentially split into multiple pieces and stored on multiple machines in multiple locations. The idea is that if any one data element falls into the wrong hands, it will be of little or no value without access to the remaining parts of the file.

* Data masking/obfuscation -- The relationship of sensitive data to related data elements and/or data subjects is obscured, rendering the data useless should it be inappropriately accessed.

Any company thinking about adopting a cloud-computing service should identify the mechanisms for addressing data risks that the vendor uses or supports, determine which meet the customer's needs and ensure that those are codified in the contract as minimum requirements.

* * *

Interested in learning more about cloud computing risk mitigation via contract negotiation and vendor management? Then please register for my seminar Contracting for Cloud Computing Services March 25-26, 2013 in Los Angeles. I look forward to seeing you there.

Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit

Join the CSO newsletter!

Error: Please check your email address.

Tags securityencryptioncloud computinginternet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thomas Trappler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts