We talk a lot about multi-layered security: perimeter security, network security, cloud security, device security – but what is it that we most need to protect?  The answer usually boils down to: the data.

Certainly, we seek to prevent Denial of Service attacks that will bring down the network, or malware attacks that will force us to reinstall operating systems and applications, but all of those problems can be fixed and when they are, operations are restored to the same as before.  Data, however, is the one thing that’s irreplaceable, and the majority of our security measures are ultimately aimed at keeping it safe.

Here’s an analogy: let’s say you have a very valuable custom designed diamond ring that also has great sentimental value because it was passed down through your family for generations. Do you leave it lying around the house? Of course not. You buy the best heavy duty safe and keep it in there. Now of course you also have locks on your doors and windows, and maybe an alarm system, fences or walls around the yard with locked gates, and a guard dog in that yard to protect the property as a whole, but your most valuable items get special, additional protections.

It’s the same with our data. In addition to the firewalls and access controls designed to keep unauthorized persons out of our networks and systems, we also want to ensure that if someone does defeat those measures and “gets into the house,” they still won’t be able to steal or see our data:  the documents and spreadsheets and databases that contain our original and irreplaceable work product. That’s why we have encryption and file-level access controls.

But when it comes to protecting our most valued assets, are we better off going DIY or putting it in someone else’s hands?  As with so many other IT decisions, there are advantages and disadvantages both ways.

Cloud storage vs keeping it on premises

In the early days of cloud computing, many organizations saw the benefits of moving some of their IT operations into the cloud. They saw that, among other things, they could lower the cost of managing and maintaining servers and IT departments, be able to scale up or down more quickly and cost effectively and give employees easier access to the resources they need whether they’re in the office, working from home, or on the road.

However, many were hesitant to put data that they considered confidential, sensitive, or mission critical into cloud storage, as they questioned the level of protection cloud providers would give it and feared the loss of control in regards to security. As recently as 2015, it was common to see articles in reputable publications proclaiming that you shouldn’t trust cloud service providers.

The naysayers did make some good points, such as the fact that big cloud datacenters make an extremely attractive target for attackers because of the huge wealth of data stored there. It’s also true that your company has more control over its own employees, in terms of vetting for hiring, monitoring their actions, and being able to discipline or fire them. In almost all cases, you don’t even know the identity of the cloud provider’s personnel who have access to your data.

However, trust in the cloud is growing, as evidenced by the growing number of enterprises that are adopting cloud based platforms and applications – according to Forrester, more than 50% will adopt cloud-enabled services by the end of 2018.

This is not just a matter of familiarity breeding complacency, either. Organizations are recognizing that there are good reasons to trust the security of the top cloud providers – although familiarity with the cloud has helped to quash some of the paranoia that initially surrounded the topic. That paranoia was based in large part on two factors: a) fear of the unknown and b) the mistaken assumption that more control equals more security.

In fact, many analyses show that cloud computing can be (and often is) more secure than traditional IT. If you really stop to think about it, it makes sense. Big cloud companies such as Microsoft, Amazon, and Google have enormous amounts of money to implement the very best security measures and hire the very best security personnel. And it’s an investment they’re willing to make because their reputations depend on it.

Cloud data centers start with a high level of physical security that many on premises IT departments don’t have; the exact locations of their data storage facilities is often kept secret. They also implement the most stringent access controls, strong encryption protocols both for data at rest and in transit, and strict monitoring and auditing. Software is kept up to date, something that sometimes falls by the wayside in company data centers due to admin workloads.

Encryption is the key

The vast majority of cloud providers automatically encrypt data in transit. Some encrypt data at rest by default while others provide options for doing so.  Whether you store data on premises or in the cloud (or both), encryption is the most important element in protecting it from unauthorized access. But all encryption is not created equal. The factors that determine whether encryption can be cracked hinge on a) the algorithm and b) the key.

Some encryption algorithms are stronger than others. AES is the current standard, used by the U.S. government to protect its classified information. It uses the block cipher method (encrypts blocks of bits rather than individual bits one at a time). The bit designation (AES-128, AES-192, AES-256) indicates the size of the symmetric encryption/decryption key.

When it comes to key size, in theory bigger is better – because it takes longer to crack using a brute force attack (trying every possible key combination). But it’s not really that simple. In practice, the chances of cracking AES-128 are so close to zero (at least with current technology) that AES-256 doesn’t, according to many experts, offer any real advantage.  And some will tell you that because of the design of the key schedule for AES-256, its shorter-keyed cousin has been considered more secure for most usage, as Bruce Schneier pointed out way back in 2009.

Security doesn’t end with encryption of the data. The key that is used to encrypt the data must, itself, be encrypted in order to best protect the data. Best practices also include storing keys separately from the data. This is an essential part of key management. Keys can be executed in software, or Hardware Security Modules (HSMs) are often used to protect keys for higher security.

Data encryption can be accomplished at the file level or the disk/volume level. On premises, you can use technologies such as Microsoft’s Encrypting File System (EFS) encryption to encrypt individual files or BitLocker to encrypt entire volumes. Azure cloud services allow you to encrypt entire virtual machines (Windows or Linux) that you run in the cloud. Azure Key Vault can protect the encryption keys.

Amazon Web Services (AWS) gives you the option to encrypt data stored in S3 cloud storage with either server side or client side encryption. AWS Key Management Services (KMS) enables you to create and control data encryption keys.

What about passwords?

With a symmetric encryption algorithm, the same “secret key” is used to encrypt and decrypt the data, but where does this 128, 192, or 256 bit binary key come from, anyway? The most common authentication method is still passwords, but this doesn’t mean your passwords have to have 128 or more characters. When passwords are used in AES encryption, your password (of whatever length) is hashed into a binary key of the appropriate size.

Then does the length and strength of the password matter? Absolutely! Even though both the weak password and the strong password may both generate the same sized 128 or 256 bit key, the latter is more secure. Using the strongest passwords possible will provide better protection for your data whether it’s stored on premises or in the cloud.

Access controls – authentication matters

Access to data begins with access controls, which are based on authenticated user accounts. User authentication is also traditionally accomplished via passwords, but best security practices dictate that passwords are not enough – multi factor authentication is a better way to control access to sensitive data.

MFA can use smart cards or token, phone authentication, or biometrics such as fingerprints, iris scans, or facial recognition. The important thing is that in addition to requiring users to provide something they know (a password or PIN), they must also provide something they have – a physically present element that they carry with them or a unique physical characteristic that’s part of their bodies. This adds a second, and more difficult to duplicate, means of verifying that a user is in fact the person associated with the account.

Major cloud providers give customers the option to require MFA for access to their services, and solutions such as Azure Multi-Factor Authentication Server can be used to set up on-premises MFA.

Summary

Protecting data is one of the most important functions of any organization’s security strategy. Luckily, you have many tools and options available, whether you store your data on premises, in the cloud, or a combination of both.