{"id":1699,"date":"2020-07-05T04:08:42","date_gmt":"2020-07-05T04:08:42","guid":{"rendered":"http:\/\/blog.einnosec.com\/?p=1699"},"modified":"2022-02-28T11:28:48","modified_gmt":"2022-02-28T11:28:48","slug":"securing-cloud-data-cloud-encryption-considerations-part-iii","status":"publish","type":"post","link":"https:\/\/blog.einnosec.com\/index.php\/2020\/07\/05\/securing-cloud-data-cloud-encryption-considerations-part-iii\/","title":{"rendered":"Securing Cloud Data \u2013 Cloud Encryption Considerations Part III"},"content":{"rendered":"\n<p style=\"font-size:18px\">The last posting &#8211; Securing Cloud Data Part I &#8211; we discussed the security triad in the context of data security which includes data-at-rest encryption to protect confidentiality, data in transit encryption to protect the integrity, high availability clusters, and failover for availability.<\/p>\n\n\n\n<p style=\"font-size:18px\">Part II was focused on understanding <a href=\"https:\/\/www.einnosec.com\/data-security-and-privacy.php\"><strong>cloud security<\/strong><\/a> domains, AWS and Azure storage choices, access methodology, encryption capability, etc. The encryption consideration includes data classification, encryption policy, regulatory and compliance requirements, high availability, application integration, support, and key life cycle management.<\/p>\n\n\n\n<p style=\"font-size:18px\">The Cloud Security Series Part II onwards is focused on providing basic conceptual information about cloud security in the context of AWS and Azure. This will help security reviewers, auditors, and risk management personnel.<\/p>\n\n\n\n<p style=\"font-size:18px\"><strong><span class=\"has-inline-color has-black-color\">Encryption \u2013 Data at Rest<\/span><\/strong><\/p>\n\n\n\n<p style=\"font-size:18px\"><a href=\"https:\/\/blog.einnosec.com\/index.php\/2020\/07\/05\/securing-cloud-data-aws-and-azure-security-part-ii\/\"><strong>The security triad in the contest of data security includes data-at-rest encryption to protect confidentiality<\/strong><\/a>, data in transit encryption to protect the integrity and high availability clusters, and failover for availability. Encryption types for data-at-rest include the following:<\/p>\n\n\n\n<ul><li>Full Disk Encryption (FDE) for endpoint protection<\/li><li>Full Disk Encryption with Pre-Boot Authentication (FDE w\/ PBA) for endpoint protection<\/li><li>Hardware Security Module (HSM) for key management lifecycle protection<\/li><li>Encrypting File System (EFS) for storage protection<\/li><li>Virtual Encryption for storage protection<\/li><li>File and Folder Encryption (FFE) for unstructured data protection<\/li><li>Database Encryption for structured data protection<\/li><\/ul>\n\n\n\n<p style=\"font-size:18px\"><strong><span class=\"has-inline-color has-black-color\">Encryption \u2013 Data in Transit<\/span><\/strong><\/p>\n\n\n\n<p style=\"font-size:18px\">Encryption types for data-in-motion include (but are not limited to) the following:<\/p>\n\n\n\n<ul><li>Virtual Private Network (VPN)&nbsp;for remote access<\/li><li>Wi-Fi Protected Access (WPA\/WPA2)&nbsp;for wireless access&nbsp;<\/li><li>Secure Sockets Layer (SSL)&nbsp;for Web browser to server communications<\/li><li>Secure&nbsp;Shell (SSH)&nbsp;for secure remote systems administration<\/li><li><a href=\"https:\/\/blog.einnosec.com\/index.php\/2020\/07\/05\/securing-cloud-data-part-i\/\"><strong>The most common method of protecting data in motion is the use of a secure sockets layer virtual private network (SSL VPN)<\/strong><\/a>. Technologies such as SSL VPN are critical in the effort to protect against man-in-the-middle attacks and packet sniffers.<\/li><\/ul>\n\n\n\n<p style=\"font-size:18px\"><strong><span class=\"has-inline-color has-black-color\">Encryption Available from Cloud Providers<\/span><\/strong><\/p>\n\n\n\n<p style=\"font-size:18px\">The major cloud corporations provide the following encryption methods:<\/p>\n\n\n\n<ul><li>Server-Side Encryption,<\/li><li>Client-Side Encryption,<\/li><li>Symmetric Key Encryption<\/li><li>Asymmetric Key Encryption<\/li><\/ul>\n\n\n\n<p style=\"font-size:18px\">The major cloud corporation provide the following key management solutions:<\/p>\n\n\n\n<ul><li>Customer Stored and Managed<\/li><li>Provider Stored and Customer Managed<\/li><li>Provider Stored and Customer Managed (using KMS)<\/li><li>Cloud Provider Stored and Managed<\/li><\/ul>\n\n\n\n<p style=\"font-size:18px\">The other key management solutions include OWN HSM Solution and Software-Based Key Management. Corporations need to decide in advance the encryption and key management requirement and ensure could provider supports the requirement<\/p>\n\n\n\n<p style=\"font-size:18px\"><strong><span class=\"has-inline-color has-black-color\">Cloud Encryption Consideration<\/span><\/strong><\/p>\n\n\n\n<p style=\"font-size:18px\">The encryption consideration includes data classification, encryption policy, regulatory and compliance requirements, high availability, application integration, support, and key life cycle management.<\/p>\n\n\n\n<p style=\"font-size:18px\">Cloud encryption and key management buzz words:<\/p>\n\n\n\n<ul><li>BYOK \u2013 Bring Your Own Key<\/li><li>BYOV \u2013 Bring Your Own Vault<\/li><li>BYOE \u2013 Bring Your Own Encryption<\/li><li>BYOH \u2013 Bring Your Own HSM<\/li><\/ul>\n\n\n\n<p style=\"font-size:18px\"><strong>Visit <\/strong><a href=\"http:\/\/www.einnosec.com\"><strong>www.einnosec.com<\/strong><\/a><strong> to know more about GRC, Audit and Information Security practice.<\/strong><strong><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The last posting &#8211; Securing Cloud Data Part I &#8211; we discussed the security triad in the context of data security which includes data-at-rest encryption&#8230;<\/p>\n","protected":false},"author":1,"featured_media":2737,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[80,71],"tags":[129],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/posts\/1699"}],"collection":[{"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/comments?post=1699"}],"version-history":[{"count":4,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/posts\/1699\/revisions"}],"predecessor-version":[{"id":2548,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/posts\/1699\/revisions\/2548"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/media\/2737"}],"wp:attachment":[{"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/media?parent=1699"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/categories?post=1699"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/tags?post=1699"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}