Privacy in the Cloud, Part 2

In my last post, I mentioned some of the threats and vulnerabilities to data in the cloud. To reduce the risks posed by these threats and vulnerabilities, consumers and organizations can use privacy-enhancing technologies in the cloud. One of the most common technology used in a cloud environment is the use of encryption and digital signatures. Since the cloud is a remote-access platform, these technical controls can remotely enforce a particular security policy. Most cloud providers offer built-in schemes for encrypting data that will be stored in the cloud. However, this method is not sufficient since providers encrypt data using an encryption key generated by the cloud providers themselves. There is no assurance that the encryption key will not be employed by the cloud provider to decrypt user data.

Cloud consumers must then keep in mind that there is always the possibility that cloud providers can gain access to any data saved in the cloud storage, even if it were encrypted. Therefore, to mitigate the encryption risks, the proper management  of keys is very vital. Other process and technology-related controls that can enhance the privacy of data in the cloud include secure multiparty computation (SMC) and homomorphic encryption (HE), using separate encryption keys (one per cloud consumer), fragmentation-redundancy-scattering (FRS) technique, manual encryption, and network traffic encryption techniques like Secure Sockets Layer (SSL) and Transport layer security (TLS).

The Cloud Security Alliance (CSA) recommends that the cloud consumer perform the encryption locally before sending the data to the cloud provider to decrease the ability of a malicious provider or co-tenant from accessing archived data. CSA also recommends that for data to be destroyed, it must be erased, rendered unrecoverable, and as appropriate, physically discarded using techniques such as disk wiping, degaussing, and crypto-shredding. Other controls that must be in place to ensure the holistic protection of data in the cloud includes conventional security services such access controls, operating system hardening, system and application updates, change management, intrusion detection and prevention, incident handling, and business continuity and disaster recovery.

In general, strong encryption techniques can reduce security and privacy risks, especially when storing private data in an untrusted environment. However, this usually implies sacrificing functionality and efficiency for security and privacy.

Featured Post

Motivations towards Shadow IT

A logical place to understand the problems posed by shadow IT is to understand why the practice exists in the first place. One must know the users’ needs and motivations for getting external cloud … Continue Reading