Encrypting data in the cloud is no guarantee, analyst says
Encryption must be on the minds of a lot of executives right now. A former secretary of state’s emails getting released online — among other hacks in the headlines — will do that. And if their data is in the public cloud, in providers’ far-flung data centers, many business and IT leaders are likely thinking this: Scramble the data so it can’t be read by hackers, who want the data.
At the recent Gartner Catalyst Conference in San Diego, Gartner analyst Ramon Krikken said organizations should indeed think about encrypting data in the cloud — and then they’d better come up with a really good reason to do it.
His bottom line: “Encryption is only as effective as it is, not as effective as people want it to be.” That is, it’s useless against many types of cyberattacks.
Krikken’s warning came during a talk about how to adequately secure data as more organizations move more applications to the public cloud. It’s not that risks change once applications are moved out of a data center and into the cloud. “The particulars of how the risks are exposed and then how controls are implemented — those are the things that change,” he said.
As an example, he cited the 2014 fall of Code Spaces, which offered source code hosting and project management services to developers.
The company had its services on Amazon’s cloud infrastructure, Amazon Web Services, but it had poor identity and access management for administrative AWS accounts, Krikken said, and it put its day-to-day and backup data in the same place. A hacker got hold of admin credentials, logged into an account and told Code Spaces that data would be erased if the company didn’t pay ransom. It didn’t, so information starting disappearing from data banks. Code Spaces subsequently went out of business.
Turning the information to gibberish for all but authorized users wouldn’t have made any difference, Krikken said, “because the data was deleted. It was gone.”
Not a cure-all
He gave another example of the limits of encryption: blind subpoenas. These are orders government agencies can give a cloud provider to gain access to an organization’s data without its knowing about it until much later. Encryption may shield the info from prying federal eyes, Krikken said, but it can only go so far, because the encrypting of cloud applications happens at the provider’s data centers.
“Ultimately, some plain-text version of your data and the data encryption keys as well are going to be floating around in that cloud provider at some point,” Krikken said. And cybercriminals could go further still. “If somebody was really, really ill-intentioned, they can always get to your data at the end.”
But regulators and auditors like to see encryption on data at rest — typically archived or backup data, or reference files that are rarely updated. So if there are compliance needs, an organization doesn’t have an option.
“Similarly, a lot of contracts that you might get from people who do business with you might say, ‘All of our data is supposed to be encrypted at rest,'” Krikken said. “They don’t tell you how; they just tell you that it needs to be encrypted.”
When encryption kills
In reality, though, organizations can significantly ratchet up their operational risk by encrypting data in the cloud, Krikken said. Even if they have their own encryption key — the mechanism used to encrypt but also decrypt data and make it readable — they’re still not invulnerable.
“If you lose the keys, you lose the data. If your CSP [cloud service provider] loses the keys, you lose the data. If your key management partner loses the keys, you lose the data. When your keys are gone, the data is gone forever,” he said.
The risk wasn’t lost on Robert Vazquez, security manager at Independent Purchasing Cooperative Inc. (IPC), a Miami supply chain management company that negotiates the costs of meats and veggies and services for the Subway fast-food chain’s North American operations.
“It flies in the face of the traditional security approach,” Vazquez said, but he gets the counterintuitive wisdom. “It’s really hard to shift that paradigm and that thinking from the traditional methods of protecting your data and your data center and your assets to this cloud version of that.”
IPC, whose board of directors is made up of Subway franchise owners, also runs the chain’s credit card processing and its gift card program. The company is looking at cloud providers AWS and Microsoft Azure to power real-time supply chain management and analytics while expanding credit card processing to other countries, Vazquez said, which brings its own challenging compliance issues.
The cloud, the future
Requiring encryption just for compliance reasons may not make sense, he said, but that’s today, and cloud computing and technologies made for it are changing fast.
“As the auditing bodies start to modernize and get up to date with cloud and what it can offer, there may be some changes or new technologies that compensate for the cloud and the way it’s changed,” Vazquez said.
For his part, Krikken stressed he’s not trying to talk people out of using current encryption technologies for cloud data.
“I’m just saying if you do it, you better have a really good compliance case for it, or you better show that it actually does something useful for security,” he said.