Protecting information instead of devices 

This calls for a change – from protecting infrastructure to protecting the information itself. 

Traditional protection methods – firewalls, endpoint protection, and different flavours of intrusion prevention systems – have relied on explicit knowledge of the infrastructure topology in order to detect and block malicious behaviour. This approach is rapidly becoming obsolete with the advent of ephemeral infrastructure, where servers, storage pools and even networks come and go at sub-minute timescales. Today, any reliance on static, infrastructure-level protection is largely hit-and-miss.  

All is not lost, however. By turning our attention to the information itself, we can shift our focus back to what matters. In many ways, the currently popular so-called zero-trust architectures are a good match for protecting dynamic public cloud environments. As defined in practise by e.g. Google in their BeyondCorp and, more recently, BeyondProd concepts, access control with no reliance on a trusted network is a step in the right direction. Such approaches, however, require wholesale commitment and investment from the entire organization – something not easily attainable in real life.  

For most organizations, a more grounded approach may well be to start from the other end. One such approach is transparent encryption. Essentially, this means that the information residing in public clouds is encrypted, with decryption keys allocated based on existing IAM roles. Transparent encryption differs from e.g. full disk encryption in that the file metadata remains visible to admins, allowing them to perform activities as before, while the file contents are only readable only with the correct set of keys.   

This, as some readers probably have already noticed, moves the problem from protecting data access to protecting access to the keys.   

There are essentially three different types of encryption schemes available for public clouds;  

• Native encryption: Every public cloud platform offers data encryption as a standard feature. In the simplest form, the cloud provider creates an encryption key when the subscription is created, and all assets are then encrypted with this key. In most cases, the key is held with a Key Management System (KMS) with the cloud provider. While this approach is more than enough for most users, it does rely on the cloud provider to maintain the confidentiality of the encryption key.   
• Bring Your Own Key (BYOK): Some use cases may require the cloud user to create and maintain their own keys. This model is supported by all major cloud providers, allowing users to store the keys either on-platform using shared or dedicated KMS, or, in some cases, to even have their own off-platform KMS. The latter model creates an almost complete disconnect from the cloud provider but places significant demands on the user organization to perform proper key management practices – a task that is more complex than it may initially seem to be.   
• Bring Your Own Encryption (BYOE): For some extreme use cases, some cloud providers allow users to plug in their own encryption algorithms in addition to keys. While it is not advisable for anyone to roll their own algorithms, certain regulatory regimes may put specific requirements on the strength of encryption and/or require proprietary cryptosystems to be used. BYOE allows these requirements to be fulfilled, albeit often with a significantly higher administrative burden on the user. 

Whichever model of encryption is chosen, each provides reasonable assurance that only authorized users, whether human or machine, can access the protected information. For public cloud environments, the use of a proper encryption regime can also be automatically enforced in policies across all deployed assets.  

As computing and storage assets and even entire infrastructures become more dynamic, with lifetimes ranging from milliseconds to hours, information protection must move closer to the information itself. A well-designed encryption regime offers several benefits over traditional infrastructure-based controls. It also provides a perfect stepping stone towards zero-trust architectures, should that be the future direction of your organization. 

Want to hear more? Watch the recording of our webinar and learn how to to build cybersecurity into the DNA of cloud-native applications.