Cloud data encryption – what to know before choosing a provider?

Technically and practically speaking, all popular cloud-based tools are securely encrypted. In fact, this means that we do not have to worry about the problem of data encryption, as long as we do not need to prove its security to regulators, customers, business partners or a bank. So in every “typical” situation, we can take our suppliers’ word for it. This, however, does not mean that the subject of encryption is not worth exploring.
What will you find in this article?
The security standards offered today by cloud services – disks, tools for collaboration on documents, graphics editors, video games, etc., especially those that require us to login and offer a paid subscription – are high and constantly monitored. Specialists take care of us.
In practice, a “typical” user has nothing to worry about. Long gone are the days when an application (back then called a program) was trusted only when it could be installed locally on a computer and used “normally”, that is, offline. The spread of high-speed internet significantly contributed to this change of mindset. Awareness of cyber threats also rose in the meantime, and the norms have been tightened to protect the great masses of users. Data encryption in the cloud with a 256-bit algorithm, the “weakest” of those unsinkable by a brute-force attack, is no longer surprising today. Rather, it is its absence that may arouse users’ interest.
However, the Internet has become so indispensable that leaving the fundamental principles of its functioning to specialists and focusing solely on the usage is like reading the printed press without being aware of Gutenberg’s achievements. Therefore, it is worth acquiring basic knowledge about the technical side of the internet, even if we do not intend to construct ourselves the modern, digital tools in the service of mass communication.

Cloud data encryption - locally or externally?

Let’s start with the definition. Cloud data encryption is designed to ensure that the information we send and receive is not read, modified or deleted in an unauthorized way. Looking at the simplest model of its inner workings, encryption can be explained in such a way that the original portion of data we want to protect is first coded with the help of a suitably strong cryptographic algorithm (the engine) and a unique encryption key, and then sent to and decrypted by an authorized recipient, who uses a unique decryption key in their possession, thus reverting data to its original, legible form.
Usually, the user does not even know about the existence of such keys whatsoever. In fact, typically all we need to do while using commercial cloud-based tools that utilize encryption is log into such a system as authorized users, and the process of encrypting (files and communication) will start automatically. This encryption/decryption process might differ depending on whether we use a locally installed client, e.g. an extension to the browser, or application, or we work directly in the cloud (no plugin).
In the first case, the login data, for example the password, may or may not be stored locally (and its use then two-factor-authenticated, e.g. by SMS). After the user logs in, the local application establishes an encrypted connection with the server or encrypts the data locally, and then sends portions of such encoded data to the server and delivers it to the recipient, who, in turn, can decode the information locally.
In the second case, all encryption and decryption takes place on the provider’s server. Users only operate at the level of the protected interface, which is not available or cannot be serviced offline.
Both solutions obviously have their strengths and weaknesses. The advantage of plug-less solutions is the complete relief of the user from the necessity to take care of the system security, apart from the password and access to the device – these can be taken over more easily than the supplier’s constantly monitored server, after all. The advantage local applications give is the exclusive possession of encryption keys by the user. In theory, keys should not be stored on the same instance as the data, i.e. in the provider’s cloud. It may therefore be safer to store the keys on your own device (especially in case of financial applications). There might, unfortunately, be dishonest administrators and cybercriminals at play.
But why are these or other encryption methods so important, despite their advantages and disadvantages? To put it simply, it’s because they are nonetheless effective. Data encryption in the cloud with the use of proven protocols (IPsec, TLS and others) is a widely recognized practice, and regulators require this practice to be applied e.g. to regulated entities and wherever data disclosure may have a negative impact on economic and national security. The encryption results from the recommendations of the Polish Financial Supervision Authority, GDPR and other regulations.

What actually encryption gives us: in defense of integrity

Let’s move on to a little spoiler. In one of the episodes of the AMC’s hit television series “Better Call Saul”, the title character, Saul Goodman, a lawyer with a dubious reputation and quite “flexible” approach to the rule of law – tries to discredit his older brother, a successful lawyer who, for ethical reasons, stands in the way of Saul’s professional (and social) breakthroughs. Saul executes a plan to steal paper (sic!) documents collected in the case conducted by his brother, and then doctors them meticulously using a scalpel: he changes the order of the digits on the date of the main application, makes high-quality photocopies to hide cut marks, and then puts the fakes in place of the originals. The operation results in the jurisdiction’s formal rejection of the case – and a loss to the client. The conman gets away with it and the “slip-up” casts a shadow on his brother’s career. Saul successfully interferes with data integrity.
This television example perfectly illustrates the importance of data integrity, which next to confidentiality and availability is part of the so-called CIA triad (confidentiality, integrity, availability). The story of Saul is completely unbelievable in the present conditions (the plot takes place in the early 2000s), but today it is possible to imagine a situation where the patient’s medical data is electronically written and placed in a cloud with no encryption. An efficient hacker is able to get into such a cloud, modify a key fragment of the documentation – for example, change the diagnosis, and then leave the server almost without a trace. Taking care of integrity, i.e. ensuring that any data stored in a file or transmitted online will not be modified in any way by unauthorized persons, is then one of the main functions of encryption.

Encryption in transit and at rest - what is the difference?

What happens to your data when it’s being encrypted can be described by two basic processes. Cloud encryption at rest applies to files stored on the server/client that are currently not being transmitted over the network or between the client and the server. In turn, encryption in transit concerns the moment of communication or data transmission in the network or between the client and the server.
Depending on the cloud operation model, data at rest can be stored in a dedicated, encrypted virtual disk space, on a local disk, or create the so-called objects. In the second case, the protection usually covers a wider range of components, e.g. API (i.e. a local component of the platform that allows for its online use), network connection, a cloud instance or the provider’s physical disk itself. In this case, in theory at least, the risk of attack is greater. Data protection, however, is a struggle for compromises and there are no ideal solutions here, only those practical and… proven.

Saas model - how encryption works in FORDATA Virtual Data Room

Let’s move on to the method of data encryption used in the FORDATA cloud. Our VDR operates in the SaaS model (software-as-a-service). This means that encryption, its effectiveness, updating and guarantee of operation are entirely at our discretion as service providers. The customer is relieved of the obligation to guarantee the efficiency of these components when, for example, is uploading data under protection (e.g. by GDPR) to VDR or in case of supervised entities. You can read more about how we secure files in the cloud in the article “Cloud data storage and file security”.
Let’s list the most important features of data encryption in FORDATA:
Practically speaking, this means that the data stored on FORDATA servers (we have a physically separated disk partition, which is not used by other server room customers) is as safe as the funds stored on an electronic bank account. Suffice it to say that our services are used by international financial institutions.
Responsibility for data encryption in the cloud lies entirely with us. Thanks to this, you can be sure that your work will always comply with the current EU regulatory requirements in the field of data protection.

If the article was valuable to you, please share it with others, e.g. via Facebook or LinkedIn!

Share on facebook
Facebook
Share on linkedin
LinkedIn

Main picture: Unsplash.com

You may also read
You liked it? Share!
Share on facebook
Facebook
Share on linkedin
LinkedIn
Most viewed
Follow us!