Apple’s opposition to an FBI request to unlock the iPhone of Syed Rizwan Farook, the shooter in the December terrorist attack in San Bernardino, CA, has raised the issue of data privacy and security, not just on individual devices but also when devices are connected to the cloud.

Your device or on-premise server might be protected, but what about when you connect them to the cloud? It may be vulnerable to attackers or be subject to government requests.

Cloud security introduces different challenges because there are more players, said Mark Nunnikhoven, vice president of cloud research at Trend Micro Inc. Also, the type of security you want depends on what you want to protect your data from. Do you want to protect it from hackers or protect it from government agencies?”

It’s an issue a lot of companies are thinking about and taking steps to address, said Ellen Rubin, CEO of ClearSky Data. And the first line of defense for them, she said, is encryption. In fact, the argument any cloud service provider (CSP) will make is that if you are concerned about your data—whether because of hackers or governments wanting access—you must encrypt your data, she said.

And the data must be encrypted at rest, as well as in transit to the cloud—whether it’s a public, private or hybrid cloud environment, Nunnikhoven said.

The large public CSPs, including Amazon Web Services, Microsoft Azure and Google Cloud Platform, include security features. When selecting a CSP, companies need to make sure the provider has the same types of security controls as when protecting information on an internal system, said Jim Reavis, CEO of the Cloud Security Alliance.

“This will include some combination of encryption, access control, strong authentication, and intrusion detection—but implemented in a cloud-native way, such as security as a service,” he said. “Not vetting your cloud provider is the real risk you take in storing data in the cloud.”

Who has the keys?

The bigger issue with encryption is what happens to the encryption keys. If the data is encrypted, the keys exist somewhere. Where should you put them? Who has control of them? How do you protect them?

“If the answer is that the cloud provider can never have access to the keys, then you’re in pretty good shape. Because even if something happened and people stole your data or subpoenaed it and demanded it, all they would get is encrypted data that they can’t decrypt,” Rubin said.

If the keys aren’t going with the data into the cloud—they are separated and put into some other device—you’ve created a level where no one entity would be able to give someone access, she said.

“I think that is just table stakes now. I don’t think anyone can go into the cloud without considering it because you just don’t know what will happen,” she said. “Anything you have any concerns about at all, not even just sensitive data, should be encrypted.”

Nunnikhoven pointed out, though, that even if data is encrypted, it doesn’t mean it is secure from everything. Because law enforcement agencies can make companies release data.

“In most cases, any company operating in the United States is going to comply with the legal requirements,” he said.

Photo credit: old via photopin (license)