It has been a year since NSA whistle-blower Edward Snowden began dominating the headlines around the world after he leaked information on the vast amount of programmes of electronic surveillance conducted by the US government, the UK and other nations.
Understandably, alarm bells rang among the thousands of companies that were adopting cloud services. PRISM, MUSCULAR and other programmes revealed a far more extensive network of surveillance than that which most IT and even security practitioners had suspected in their wildest conjectures. At issue was the frailty of privacy for sensitive data in the cloud. Secretive national letters forced cloud providers to turn over customer data without informing customers of the request and worse, the NSA even circumvented cloud providers by hacking into their systems.
So, with the first year of Snowden's disclosures behind us, it's important to discuss what the lessons learned have been for companies adopting and using the cloud.
One of the key takeaways for any business with sensitive data is that, more than ever, cloud data encryption is vital to enterprise data privacy and security.
The Snowden revelations have provided reasons for some organisations to hesitate adopting cloud services. Cloud data privacy is serious business and it seems that government agencies, not to mention malicious actors, are serious about finding ways around it. Yet, it's become ever less feasible for businesses to avoid adopting the cloud given the scalability, cost savings and ease of use cloud services.
Snowden has taught us that, to use the cloud safely, companies must take matters into their own hands. This has led to Bring Your Own Encryption (BYOE), where enterprises choose and implement data encryption that works for cloud applications. BYOE is fast becoming a credible way for organisations to protect data stored in the cloud. It scrambles sensitive information into gibberish that an unauthorised party can't decrypt since the keys remain in control of the customer. This not only provides security, it also addresses the many privacy requirements for doing business at a regional and global level.
Encrypt the tunnel and the information
The most reputable cloud providers use TLS, SSL and Forward Secrecy to encrypt the transmission layer. This helps protect data as it travels from point to point, such as when employees send emails or shoppers purchase items online. But companies can complement provider-side encryption by encrypting at the data level to complete the strategy for cloud encryption defence. Now, data residing in cloud applications can be proactively protected from surveillance, hacks and leaks.
Use appropriate levels of encryption
With their own cloud data encryption solutions, enterprises can rest assured that their data will remain safe in the cloud and protected from prying eyes. As with any technology, though, there are common concerns and best practices to follow when securing data with encryption.
The first pitfall is whether a business is using strong enough encryption. Currently, AES 256-bit is considered the gold standard by cryptography experts, such as Bruce Schneier.
Failing to use a strong enough encryption method for data can result in data breaches and potentially compliance complications – two costly consequences every enterprise wants to avoid.
Keep the keys on the enterprise-side
To be clear, sharing encryption keys with a third party dilutes an enterprise's control over its data and increases its chances of falling victim to a breach because doing so widens the attack surface area. To lessen the risk, ensure that the business alone has the power to unlock data by keeping exclusive control of the encryption keys. This way, even if the network is breached or the data accidentally leaked, information will remain illegible to unauthorised viewers.
The beauty of strong cloud encryption is that it can lock down data so that only authorised parties can read and use it. Spies won't be able to access the data in the clear, and neither will hackers or thieves. Whether to meet security or privacy requirements, encryption should be part of a company's defence strategy against unauthorised access.
Contributed by Paige Leidig, CMO, CipherCloud