Data Encryption in the cloud

A Handy Guide

Table of Contents
Introduction

...01

Why Encryption is Different in the Cloud

...02

Common Encryption Misconceptions Worth Rethinking

...04

Encryption In Action Step One: Get Started with Discovery

...06

Encryption In Action Step Two: Consolidate for Control

...07

Encryption In Action Step Three: Selecting Appropriate Technology

...08

Encryption in Action Step Four: Put Encryption to Work

...09

Conclusion: Encryption in the Cloud Done Right

...10

Introduction
The Fine Balance Between Security and Business Objectives

Data encryption has existed for decades as a necessary means of controlling user access
to, and distribution of, sensitive information. While it provides invaluable security
benefits, encryption can often become a barrier - conflicting with the end user computing
experience and broader modern business objectives, such as SaaS adoption.
Left unmonitored and uncontrolled, cloud technologies allow users to expose data in
new ways. As the data, users, and usage migrate from secure on premises infrastructure
to the cloud, as does risk of data leakage. Security practices that do not accommodate
for the human element encourage users to leverage the mobile and BYOD trends in the
modern workforce to bypass burdensome corporate policy.
Security professionals are faced with a new imperative in the cloud: to simultaneously
maximize organizational security and satisfy business goals while enabling user
productivity. Integrating encryption into the cloud computing model requires striking
that delicate balance.

01

01. Why Encryption is Different

in the Cloud

The challenges associated with a traditional approach to encryption in the cloud are owed
to three phenomena: the explosion of data in the cloud, the expectations of the modern
user, and the criticality of preserving native cloud functionality.

The Explosion of Data

The cloud has led to massive growth in the sheer
volume of data created and shared. According to a
recent report released by Cisco, nearly two-thirds of all
workloads will be processed in the cloud by the year
2016 (Global Cloud Index). Realistically, only a very small
percentage of this information is sensitive to an
organization and should be constrained. Massive,
all-encompassing encryption, an all-too-common
approach, must be reconsidered. Encrypting every
single file and folder interferes with the performance of SaaS applications, interrupting
native cloud functionality, such as search, and negatively impacting employee
performance. Additionally, with a high setup cost, it is expensive - and unnecessary - as
not all data poses the same level at risk. Encrypting such a high volume of data is
analogous to bubble wrapping an entire house rather than focusing on the fragile items
that matter.

Modern User Expectations

Whether leveraging IaaS, PaaS or SaaS platforms, users are now more productive,
efficient, collaborative, and mobile than ever - both in business and their personal lives.
Contemporary users expect to work the way they live - and enterprise security practices
must reflect this shift and focus on offering a similar experience.

02

Why Encryption is Different in the Cloud

Organizations must realize users access SaaS applications

both inside and outside of traditional corporate networks.
The network devices associated with the on premises
encryption model introduce a single point of failure and lack
the scalability, ease of deployment, and mobile compatibility
that has become the new standard.
Attempting to control people through conventional means,
such as a VPN in the network, is impractical and unrealistic.
Such an approach slows the user experience and reduces
productivity, once again, introducing frustration. With a virtual universe of cloud-based tools
at their fingertips, users will naturally find the path of least resistance to accomplish their
work, quickly identifying and adopting alternative platforms. In doing so, users circumvent
monitored channels and deny security teams the visibility and control they seek.

Native Cloud Functionality

In the cloud, encryption has the potential to break the
native functionalities of cloud platforms and diminish
their inherent value. When data is encrypted, it is
incapable of being indexed, inhibiting search
functionality. Additionally, it is no longer possible to use
this data in building reports. While this is a positive
benefit of encryption when used appropriately
(sensitive data should not be indexable), overuse of
encryption interferes with the fundamental benefits of
the cloud. Preserving the ability for users to collaborate with each other and external
audiences is essential. A discerning and risk-appropriate approach to data encryption
enables cloud benefits such that encryption can become a business enabler, rather than
a hinderance.

03

02. Common Encryption Misconceptions

Worth Rethinking

People often carry the same series of misconceptions regarding encryption in the cloud.
Here, we discuss four common and widely-accepted fallacies and offer an alternative
viewpoint.

Misconception 1: The Platform is Secure,

Making Encryption Unnecessary
The majority of SaaS applications employ
comprehensive security measures at the platform-level,
including data encryption at rest and in transit.
However, usage behaviors introduce potential risk
outside of the application providers control, and
corporate security protocols must compensate for this
variable. Measures to accommodate for user behavior
are increasingly important in the cloud model, where
users possess a high degree of control over the existence, location, and accessibility of
information assets.

Employing encryption at a file level offers additional value, including:

Increased granularity and control over what needs to be encrypted - and under what
conditions.
Additional security for your most sensitive data in the event of a breach - or a
subpoena issuance to your cloud application provider.
The possibility of additional security features, including time-limited access,
auditing capabilities, and key management.
Customizable encryption practice based on proprietary security policy.
The ability to establish centralized, policy-driven control across platforms through a
third-party encryption tool.

04

Common Encryption Misconceptions Worth Rethinking

Misconception 2: Ubiquitous Encryption Solves Everything

Encrypting everything is expensive, resource-intensive, and, most notably, unnecessary,
as the vast majority of an organizations data is not sensitive. Though secure, painting
with such a broad encryption brush has undeniable downside. By locking everything
down, organizations risk driving user activity underground and losing visibility, as well as
control. Additionally, encryption can interrupt native cloud platform functionality, making
it undesirable at a global level. A realistic and selective approach to encryption secures
sensitive data without interfering with the benefits that brought organizations to the
cloud in the first place.

Misconception 3: Encryption = Compliance

Though encryption is a valuable data governance
mechanism to help secure sensitive data and satisfy
compliance, it is not a silver bullet solution or a shortcut
to regulatory compliance. To be compliant, organizations
must demonstrate more than just the encryption of
sensitive data. For instance, HIPAA regulations require
three types of safeguards: technical, physical, and
administrative. Encryption with auditing capability is a
great start, but full compliance is far more reaching.

Misconception 4: Data Security is the Sole Responsibility of IT

Traditionally, data security has been the exclusive responsibility of IT, but that is changing.
There are two primary reasons for this shift in responsibility: 1) the explosion of data in
the cloud makes centralized control difficult and 2) users, more than administrators, are
the most informed as to what data is sensitive and warrants encryption. As users possess
an increasing degree of control over this data, businesses must incorporate them in
organizational security efforts. By leveraging users, organizations take advantage of an
opportunity to educate users and encourage positive digital corporate citizenship.
Forward-thinking institutions inform users through notifications in the instance of policy
violation and empower them with the opportunity to self-encrypt and take ownership of
their data security.

05

03. Encryption In Action Step One:

Get Started with Discovery

Gone are the days when all organizational data resides within on premises servers with
only provisioned products used for content creation. The cloud encourages users to store
content in a number of SaaS applications, from Google Drive, to Salesforce, to Dropbox,
and more.
To instill effective encryption practices, first conduct a survey to gain an
understanding as to where content is created and stored. Determine the platforms and
SaaS applications users are on and the locations in which data is stored.
Next, identify candidates for file-level encryption. Determine what sensitive content
specific to the corporation exists. Leverage a monitoring solution to process data stores
for material that violates regulation or internal policy and consider refining policies with
input from domain experts. Discovery of appropriate content is an interative
process - starting with wide filters that are increasingly tuned to identify true positives
with high precision.

06

04. Encryption In Action Step Two:

Consolidate for Control

Once a discovery has been completed, an assessment needs to be made as to whether

these are the best locations for this content.

Location Consolidation
Where appropriate, consolidate the data into a few key repositories so it may be better
managed and proactively promote adoption of this system with your users. Analyze the
data use and take measures to mitigate data sprawl.

Data Control
Ensure there are sufficient security safeguards in place surrounding the identified content
and it is not exposed through unvetted 3rd party apps. When users leverage their
corporate credentials (OAUTH) to enable 3rd party apps, a backdoor into the organization
is opened via the apps access scope. Should the app be compromised and used to
maliciously gain access to the domain, encryption provides an additional layer of
protection.
Determine who the essential employees are that require access to the data and ensure it
is not exposed to inappropriate parties - internal or external. If changes are appropriate,
get users onboard with any decisions and best practices that are introduced.

07

05. Encryption In Action Step Three:

Selecting Appropriate Technology

Encryption is suitable for securing the most sensitive files, but for it to be an effective and
adopted security measure in practice, the selected technology needs careful
consideration. In choosing a solution, consider the following elements:

f the solution is
too invasive or
cumbering, users
will seek
alternatives

User Experience
A positive user experience is essential. To the greatest
extent possible, the solution needs to be seamless to
the end user, permitting the full functionality of the
platform they have enjoyed previously - all while
providing a high degree of security. If the solution is too
invasive or encumbering, users will seek to circumvent it
to maintain effectiveness in their role.

Compatibility
The encryption solution ideally needs to be compatible with all the platforms where
sensitive data may reside, and with all devices that may access it. Requiring users to
understand and use multiple encryption technologies, coupled with limiting device
support, will lead to confusion, frustration, and, again, circumvention.

Actionability
The encryption solution must be actionable from the discovery point. Possessing the ability
to encrypt files containing sensitive information rapidly will dramatically improve
organizational security posture.

08

06. Encryption in Action Step Four:

Put Encryption to Work

Create policies that secure your enterprise - without interfering with the user experience.
The tuned data classification mechanisms from the discovery phase combined with DLP
techniques for identifying enterprise-specific sensitive content should be used to create
actionable policies.

Notify Content Owner

Review Content

Offer Encryption

A content owner that logs in one day to find their files have been automagically encrypted
will not be a happy employee. User involvement in actions is essential. Including the user
in security initiatives by encouraging them to review their content and take action enables
users to evolve from a passive employee, capable of leaking data inadvertently, to an
educated, active stakeholder and ally in organizational security. Through adopting a
people-centric approach to encryption and security at large, organizations can reduce the
workload on IT while mitigating the risk of users exposing sensitive data.

09

Conclusion
Encryption in the Cloud Done Right
As organizations standardize on SaaS applications and users self-provision in the cloud,
enterprises must recognize the importance of data security in this brave new world. Adapting
conventional on premises security mechanisms to the cloud, such as encryption, requires careful
consideration. A contemporary cloud-conscious and user-centric approach to encryption can help
organizations accelerate SaaS adoption by enabling a higher degree of control over access to
sensitive data stored in the cloud.

Get Free Trial

CloudLock Selective Encyption

CloudLock provides people-centric security, allowing
organizations to discover, classify, and encrypt their most
sensitive data. With CloudLock you can ensure that it is
protected, while empowering users with their SaaS platforms
native collaboration capabilities