Encryption and Key Security
There has been some media coverage over recent weeks about complaints filed against a cloud-based backup provider. The complaints allege that the company misrepresented their security features, primarily their lack of encryption.
Encryption should be a basic essential in providing a secure cloud-based service. This, therefore, seems like an appropriate time to share my thoughts on how businesses and consumers can recognize the proper implementation of encryption, giving them greater peace of mind as they finalize their choice of a cloud service provider.
Encryption or the use of cryptography is widely used to protect data from prying eyes or, more formally stated, ensure data confidentiality. Cryptography protects information from unauthorized disclosure by encoding it. It amounts to minimizing the size of information that needs protection.
The key is the most important component in cryptography and therefore deserves the most attention when evaluating or comparing solutions. Don’t be mesmerized by statements from vendors about the size of the key or strength of the algorithms. Standard encryption algorithms are vetted by governments and published for everybody to use. Essentially, people saying that “we have implemented military grade AES-256 encryption and it is strong enough to protect top secret classified documents, so it is more than adequate for your business” means that they are merely smart enough to do basic research and to call out crypto-APIs of the language they use for coding. This is absolutely necessary but doesn’t mean they’re meeting the highest standards. Usually, especially if it is an afterthought or last minute requirement brought up by customers, the least experienced member of the team typically ends up implementing it.
As for the keys, the majority of the applications still use one key for everything and key management is viewed as something that developers should do. And this is where the crux of the issue with encryption lies. One should pay particular attention when providers are describing key management because it is a mission-critical business process and should be treated as one. It is too complex to push down to the end user, which some providers do. It sounds good on the surface for end users as they get full control but inevitably it means that they take on additional costs and responsibilities.
The reality is that most end users are not equipped to implement proper key management. There are a number of best practices that cloud service providers should follow that are very difficult for an end user to implement. These practices are as follows:
- Use only randomly generated keys of full length, no repeating characters, like spaces
- Implement layered key system including master keys to protect other keys and data keys to encrypt/decrypt user data
- Properly maintain key lifecycle
- Make sure key protected data is backed up together with the key so that the key can be reliably retrieved
- Use unique data key per encoding
Delegating these actions to an end user doesn’t really make sense. Providers can take the encrypted file and store it in a very secure data center, where only insiders could potentially have access to the heaps of ‘0’s and ‘1’s that you get in an encrypted image.
In conclusion, key management is too complicated for most customers to manage. It makes more sense to find a vendor with properly implemented cryptography described in the above best practices and to entrust them with your data.