Secure Cloud Storage: How Secure is Your Cloud Data?

What is the most valuable asset of your company? Is it the office building, the chairs, the furniture, or perhaps the computers and laptops on employees’ desks? Is it the people? For most enterprises, none of these things are at the heart of the business. Instead, the value of a company is in the intellectual property (IP) it owns and that translates directly to information or data.

The information sitting in computer systems is the lifeblood of most enterprises and that’s why as an industry, we spend so much time and effort managing and maintaining it. It’s good practice (and a legal requirement in many industries, such as financial and healthcare) to encrypt data both at-rest (i.e., where it is physically stored) and in-flight (i.e., when it’s on the move through the network). Both of these technologies are built into the majority of mature enterprise storage platforms.

Data Protection Strategies

Protecting data is all about reducing the risk of having that information stolen or appropriated by someone outside the organisation. That could mean competitors looking to steal ideas or worse, hackers looking to expose information to the public or even blackmail a company into paying a ransom to get their data back. The consequences for such a breach could result in fines, loss of business, collapse of the business or even criminal charges for executives.

How Secure is Cloud Storage?

What happens when you move applications and data to the cloud? Data moving to and from the cloud has to be encrypted in-flight and all services must offer this feature. What about the data that’s at-rest on disk?

Where The Cloud Is Encrypted, And Where It’s Not

On general public cloud services, such as Amazon Web Services S3 or EBS (Elastic Block Store) the data from each company or account will be stored on servers shared with other customers and potentially across many physical devices. There is no guarantee that this data will be encrypted by default. From the shared perspective alone it is essential to encrypt data at rest, in order to protect against network or guest misconfiguration that could expose data from one client to another.

The data at-rest encryption delivered by the cloud services provider gives some protection cross-client. However, it doesn’t provide a complete secure cloud storage solution, because the provider still holds the encryption keys within their network. Even where there are customer-managed keys (usually a chargeable option), the same problem occurs; the cloud provider is managing both keys and data. There are also some restrictions put in place by the cloud providers. For example, AWS EBS boot volumes can’t be encrypted and encryption is also only available on certain instance types that use the Intel Advanced Encryption Standard Instruction Set (AES-NI). Charging can also be based on usage, making the cost of encryption a variable cost.

An alternative is to implement client-side encryption, building protection into the application or virtual machine. Although this solution could work, it is likely to be fraught with complexity, as software and keys would need to be installed on each server accessing the shared storage.

The Zadara Storage Approach

Zadara VPSA (Virtual Private Storage Array) implements both in-flight and at-rest encryption, with the decision to use encryption given to the customer (encryption is not enabled by default). In-flight data is secured using IPsec, a mature and well-known protocol for securing traffic on IP networks.

For data at-rest, the encryption keys themselves are stored in an encrypted form, using a password provided by the user. Both controllers in a VPSA maintain a copy of the password in memory but do not store a copy in any persistent format, putting the customer in complete control. The only time the password is needed is when the VPSA returns from hibernation mode (in which case the restart with passwords can be automated with scripts).

Today, data at-rest encryption is based on the AES-128 standard and will be upgraded to AES-256 in the next release. There is no charge for using the encryption feature.

Eliminating Risk of Exposure

It should also be noted that the Zadara VPSA architecture isolates user data from each other. In other words, where most cloud providers spread all of their customer data across a common set of drives creating an environment where customer A’s data and customer B’s data are on shared, common drives, Zadara assigns unique drives to each customer. Customer A’s data is on their own set of drives while customer B’s data is located on a separate set of unique drives. This architecture provides an additional level of data privacy.

It’s worth bearing in mind that cloud providers aren’t under the same levels of obligation to disclose data breaches. However, with user-controlled encryption, there is no risk of data being exposed through either deliberate or accidental actions on behalf of the cloud provider, leaving you, the customer, with secure cloud storage and peace of mind at all times.

 

Share This Post

More To Explore