Cloud Encryption - Recommended Best Practices

Cloud computing is now firmly part of corporate IT infrastructure, with 97% of enterprises, worldwide using some form of cloud service. Cloud computing has been successful because it offers benefits which include better collaboration, remote work support, and cost-effective ways of keeping IT up to date.


However, one of the hurdles of cloud computing has been in the area of security. Cloud data security is an ongoing challenge, lacking corporate visibility into where data resides and potential exposure of this data, still needing attention. This is evidenced by ForcePoint, who found that only 7% of businesses felt that their visibility of assets was extremely good. And, RedLock, who identified that 51% of organizations had publicly exposed a cloud service, putting data at risk.


Cloud computing has in equal measures provided businesses with opportunities and more complex security needs. As data flows through its lifecycle it crosses cloud-based apps, servers and other infrastructure areas, the best practice requirements of encryption in the cloud need to reflect that lifecycle as a whole. Here we look at what the best cloud encryption practices are and what concerns are driving better cloud encryption.


Mapping Cloud Infrastructure, Data, and Cloud Encryption Requirements

Data is not a static entity, it exists across various states within a cloud infrastructure; data at rest, in transit, and in use. The governance of data security within those states never truly leaves the customer, no matter where the data exists. Below we look at the types of cloud infrastructures and where responsibility is split between the customer and cloud provider.


Data Encryption in Cloud Computing

The four types of cloud infrastructure are as follows:

Infrastructure-as-a-Service (IaaS): A mixed environment run partly by the cloud provider and partly by the customer (shown in parentheses):

  • Apps (customer)
  • Data (customer)
  • Operating System (customer)
  • Virtualization (cloud provider)
  • Servers (cloud provider)
  • Storage (cloud provider)
  • Networking (cloud provider)

Platform-as-a-Service (PaaS): Another mixed environment run partly by the cloud provider and partly by the customer (shown in parentheses):

  • Apps (customer)
  • Data (customer)
  • Operating System (cloud provider)
  • Virtualization (cloud provider)
  • Servers (cloud provider)
  • Storage (cloud provider)
  • Networking (cloud provider)

Software-as-a-Service (SaaS): A fully-cloud provider run service, but with data still owned by the customer (shown in parentheses):

  • Apps
  • Data (customer)
  • Operating System
  • Virtualization
  • Servers
  • Storage
  • Networking

shared responsibility

The shared responsibility model is an important consideration in any cloud infrastructure option. In the shared responsibility model, the cloud customer is responsible for data ‘in’ the cloud no matter what option is chosen. Cloud providers are responsible for the security ‘of’ the cloud, aka the infrastructure components such as databases, storage, and networking.

This means that no matter what state the data is in:

● At rest - in storage

● In transit - Moving between applications

● In use - being processed within the application logic, and then communicating back to end point

The data is ultimately the responsibility of the customer.

Because each type of cloud infrastructure has their own specific environment, the encryption requirements and use case needs must be understood to optimize security. However, this key point of data responsibility being in the hands of the customer must always be at the forefront of a cloud data security encryption strategy.

learn more about kindite's solution

Cloud Encryption Solutions

When looking at existing cloud encryption techniques the breakdown essentially consists of:

Storage/data at rest: most cloud providers or database vendors will offer data at rest encryption. This is encryption that can be used for structured and unstructured data in databases, applications, files, and other storage.

Cloud application level: This is an encryption option that some apps offer. It allows sensitive data to be encrypted and available to only authorized entities. Tokenization of data and granular-level encryption of data in fields in a database are examples. Key storage has been identified as a challenge in app level encryption

Data in transit. Data is at risk of Man-in-the-Middle attacks and eavesdropping when in transit between infrastructure components. The use of security protocols SSL/TLS and services such as a Virtual Private Network (VPN)

Data in use: When data is being used, updated, modified, collaborated on, it exists within a state that can best be protected using a Zero-Trust cloud architecture. A Zero Trust approach is one of “never trust, always verify.” The architecture is based on the use of micro-perimeters, access of which is enforced based on user, data, and location. Encryption used within a Zero-Trust cloud architecture takes on the principles of this approach.


Best Practices in the Cloud for Data Encryption

This brings us onto the best cloud encryption practices. Data at rest and in transit, although still challenging, have been addressed by well-established technologies such as the Transport Layer Security protocol, TLS. However, the area of data in use, has been uniquely challenging. This reality was a big challenge for the most risk advert organizations that naturally seek for a solution which provides end-to-end cloud encryption

The application of the Zero Trust cloud architecture model has helped to alleviate this challenge.


Creating an end-to-end cloud encryption strategy

  1. Know what needs to be protected: Map out the data assets you have and what their lifecycle entails. This should also include the classification of this data so that you can make a risk assessment of the data security of each asset. Data discovery tools such as DataSense, from Cognigo, can help in this process.
  2. Create a Cloud encryption policy to match governance, including:
        • What: Map your asset classification to determine encryption needs
        • When and where: At what part in the data lifecycle is encryption required and what type of encryption?
        • Key Management: Cloud encryption key management best practices for each encryption type; remembering that, control over the encryption keys equates to maintaining control of your data.
  3. Choose the best-of-breed solution for the situation: Implement encryption solutions and key management that fits the use case - this will pull out more on zero-trust encryption for data in use.

Ultimately, the overriding best practice when securing data in the cloud is to view the entire data lifecycle, as a whole. This will ensure that data, no matter where it is held and how it is used, is protected; mitigating data exposure.



Encrypting one data state within a cloud infrastructure is not enough. Data encryption within the cloud requires layers of state-relevant encryption. Addressing cloud encryption for data only when it is at rest or in transit will leave a gap in your security defenses. Using a Zero Trust architecture approach and encryption specifically designed for data in use, will plug this gap. The use of encryption for data in use needs to be part of your cloud security policy and applied along with your other cloud security measures to ensure that sensitive data is not leaked.

Demo_1584-1056_01 (4)


Comments | 1