Encryption: Data at Rest and Data in Transit

Encryption of Data at Rest

You should strongly consider encrypting all your data at rest, even if you own the server or storage hardware, as is often the case with private clouds. This is especially true for data in public clouds where you do not directly control the physical access to the servers that contain your data. Data encryption at rest provides a physical safeguard for your data because even if the server is stolen and physically removed from the datacenter, the data remains protected and inaccessible to the attacker.

Remember that encryption is only as good as the strength and security of the encryption keys. When encrypting data at rest, you must also consider how you will manage the encryption keys that are used to encrypt and decrypt your data. The key used to encrypt and decrypt your data is called a data encryption key (DEK). If an attacker obtains the DEK, the attacker can decrypt and access your data. Worse yet, the attacker may be able to decrypt the data, modify it, and then re-encrypt it without your knowledge.

Since an attacker obtaining the DEK is the vulnerability, the mitigation must be to prevent the attacker from doing so. You can do so in one of two ways. You could rotate or change the DEK regularly so that even if the DEK were compromised the attacker would have a limited time where the key was useful. Alternatively, you could seek a method that does not require you to disclose the DEK to anyone, and yet still encrypt and decrypt the data using that DEK. While the second option sounds impossible, it is actually the best choice. Changing the DEK used to encrypt data is a time intensive process because it requires you to first decrypt the data using the original DEK, then encrypt the data using the new DEK. If you have more than a few terabytes of data, this will take a very long time and incur a significant amount of CPU processing time to complete each time you change the keys.

That leaves you with the seemingly impossible option: never disclose the DEK. But how can you encrypt or decrypt data if no one has access to the DEK? The answer is simple, you will protect the DEK in the same way that you protect your other data files, encrypt it. When you encrypt the DEK, you use an asymmetric encryption key called a key encryption key (KEK). To help keep all these keys organized, you will store the encrypted DEK inside a key management server (KMS) that grants access to the key based on the validity of your KEK.

That is a bit complex, so consider the following analogy. Imagine that you have a secret decoder ring that you wish to lock up and protect within a vault. The secret decoder ring is your DEK and is used whenever you have a piece of data that must be encrypted or decrypted. The vault is the KMS, and the key to the vault is your personal KEK. Periodically you will change the locks on the vault to safeguard against KEK theft. Fortunately, that will not affect your secret decoder ring (the DEK). The DEK is still used to encrypt all your data, but the DEK is only ever disclosed in its encrypted form. When it is time to encrypt or decrypt data, your computer uses the KEK to temporarily unlock the DEK, which is then passed to the storage system to enable the encryption or decryption process.

Many public cloud providers offer a KMS for your encryption keys. This is also referred to as managed key encryption because your encryption keys are managed by the KMS.

Encryption of data at rest can also safeguard against accidents such as exposing data after a server has been decommissioned. For example, consider a server that is no longer needed and is then removed from the network without first performing a full security wipe of its hard drive. If the data on that hard drive was not encrypted, it may still be readable and end up in the wrong hands when the server is later sold or repurposed.

Encryption of Data in Transit

It is equally important to encrypt your data in transit, also known as data in flight. Again, while beneficial in a private cloud environment, it is particularly important for public and hybrid clouds due to the potential for accidental data exposure on shared network links. Even in private clouds, the prevalence of malware makes data encryption important to protect against data theft or the manipulation of data in transit. In the case of a hybrid cloud, the wide area network (WAN) link, which connects the private and public clouds, should also be encrypted.

 \n