Security

The encryption tonic to cloud headaches

By Anurag Kahol, CTO at Bitglass
Security
Published: 12 October 2017

The rise of the cloud as a business essential has no doubt been a productivity boon – but it’s also produced some rather serious data security and compliance problems. This is because there is little visibility and control over data in most popular cloud applications. For the security team, this lack of control makes it harder to ensure that sensitive data is not being leaked or used inappropriately. One of the most popular means of securing data on-premise is encryption. It seems sensible then, that security teams would be assessing various methods of encrypting their cloud-based data as a way to keep it protected.

The main motivation for cloud encryption is the need to guarantee that if IP, trade secrets or regulated data like customer payment card information was lost in a cloud breach, the data could not be viewed. In some cases, data residency concerns or policies that require control of encryption keys lead companies to look at ways to encrypt data when in cloud applications. In apps like Salesforce, data exists as structured data, whereas in file sharing apps such as Box it is unstructured. In both cases, the most commonly used tool for encryption is a cloud access security broker (CASB).

A functionality and security trade-off
CASBs mediate connections between cloud apps and the outside world through a combination of proxies and API connectors to applications. In doing so, they create a focal point of visibility and control for cloud applications in use, with controls taking the form of data loss prevention, contextual access control and all importantly, encryption of cloud data at rest.

Unfortunately, using a CASB for encryption is not without its challenges. In order to preserve application functionality after data is encrypted, some CASBs actually reduce the strength of the encryption. When data is encrypted, the application is unable to read the encrypted data and therefore loses the ability to do anything with it. The Search function is perhaps the best example of this. If a customer file is encrypted and a sales person attempts to search for it, the application would not be able to read the file and therefore the search function would be broken. Reducing the encryption strength allows a CASB to “crack” its own encryption in order to allow critical functions like search.

These functionality issues can seriously impede the productivity benefits of adopting cloud applications in the first place. And so, some CASBs have been forced to limit the strength of the cryptographic algorithm used. Doing this severely impairs the overall effectiveness of the encryption, making data much more vulnerable.This has left many businesses with a difficult trade-off between lost functionality or sub-optimal security, with neither option being particularly appealing.

The Split Index approach to encryption
The latest development in cloud encryption is one that takes a Split Index approach to searching cloud-based data. This gives businesses the best of both worlds. When first deployed, API connections are used to analyse cloud applications in use, identify sensitive data and let the business decide exactly what it wants to encrypt. The CASB will then replace all sensitive data with copies that have been encrypted. The business retains control over the encryption keys in this scenario. The encrypted data can then be stored in the cloud app or on premises. In the latter case, the only thing stored in the cloud application is an encrypted pointer to where the data lies in the local data store.

The Split Index approach preserves search by moving the search functionality from the app to the CASB. As data is encrypted, an encrypted local search index is generated on premises, with pointers to the encrypted data associated with the relevant keywords in the index. When a user searches for data, the search query is executed against this local index, returning all of the associated pointers to the CASB. It then searches the application for those pointers and retrieves the encrypted files or records, decrypting the data for the user on the fly.

From there, sensitive data is divulged on a need-to-know basis. Because it’s encrypted in the app, it’s not readable by prying eyes such as the rogue cloud vendor employee or the occasional over-reaching government entity. Even within the business, access is provided by policy, giving the security team complete control over who can access what and when. Using cloud encryption in such a way also allows an organisation to get ahead of the upcoming GDPR regulations.

The cloud can cause a headache for security teams, who worry about the security implications of storing their data in the various cloud apps on offer. One way to ease this headache is cloud encryption – but businesses shouldn’t have to choose between app functionality and data security. The Split Index approach to encryption can help to solve this problem: allowing businesses to utilise cloud apps without restriction, whilst also giving security teams full control and visibility of data, so that it remains secure at all times.