Cloud Encryption – a Fundamental First Step in Cloud Security

Exposing a virtualization weakness for data theft, Snapshotting your data, and the internal threat, are new cloud risks that didn’t exist when the data was stored between the four walls of your datacenter.   Data encryption is a critical first step for any organization considering the cloud. In Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) clouds, protecting data at rest is your responsibility. To meet privacy obligations to your customers and employees, and to comply with regulatory standards such as PCI DSS, HIPAA and SOX, businesses must securely encrypt cloud-based data, while keeping operational overhead to a minimum.

New Cloud Security risks to your data:

Gaining access from a different virtual server within the same physical hardware:

Cloud computing is all about virtualization. Multiple customers will share a single physical server and will be logically separated from each other. In theory, one can share the same physical server with his competitor. Gaining access to sensitive data from a different virtual server inside the same physical server can be achieved by an attacker exploiting a virtualization operating system vulnerability, or by one of your other cloud system administrators (a “malicious insider” from a different project in your own organization) using his credentials or exploiting one of many known web application vulnerabilities to launch an attack on the virtual server in order to access and steal sensitive data. Encrypting your data will not enable the attacker to view it, even if he did gain access to your virtual OS.


Snapshotting your virtual storage:

Here’s an interesting infrastructure as a service scenario: A malicious user gains access to your cloud console by stealing your credentials (or by exploiting vulnerabilities in the cloud access control infrastructure), allowing him access to your cloud servers. Once in, a simple snapshot will move your data to a deferent location of his choice. This risk is in our opinion the most obvious reason for cloud encryption, but surprisingly enough, not all cloud customers are aware of the threat, hence exposing their cloud residing data to a significant risk.

The Insider Threat

Back in March 2011, Health Net had publically announced it had lost 1.9 Million customer records as a result of its IT vendor misplacing nine server drives following a move to a new data center. The point is that an insider threat is not necessarily a malicious user, but the impact is almost similar to a malicious action. Data encryption in this case would have saved a significant amount of money to the provider but more importantly the private records would not have been exposed.

Providing an effective encryption solution in a cloud environment is not an easy task. An effective cloud encryption solution must cover the entire data layer (including virtual disks, distributed storage, databases, etc…), while not exposing your encryption keys to anyone but yourself. Porticor infuses trust into the cloud with secure, easy to use, and scalable solutions for data encryption and key management. Porticor enables companies of all sizes to safeguard their data, comply with regulatory standards, and streamline operations.



  1. […] posted Cloud Encryption – a Fundamental First Step in Cloud Security on 3/7/2012 to the Portico Cloud Security […]

  2. Quora says:

    What is the first priority cloud security concern?…

    To me, the most common security risk is unencrypted data. The approach to this issue is much dependent on the geographical region. We’ve noticed that cloud data is generally approached from a compliance point of view in the US, but in EMEA, the patrio…

  3. […] 15, 2012 By Ariel Leave a CommentI’ve discussed new cloud security threats in my previous blog post, and highlighted a concern we keep hearing from our customers – snapshoting a virtual […]

  4. […] become must-have items in the cloud (we’ve discussed the new cloud security threats in depth in this blog).In addition to the above threats, legal considerations such as the USA Patriot Act or the EU Data […]

  5. […] center, but at the same time cloud data security, cloud encryption and cloud key management remains top concerns. Thought leaders and analysts agree that cloud data encryption is a fundamental first step. But […]

  6. […] But in addition to traditional threats, new cloud-related threats should be considered as part of your security strategy. Shared compute resources, the “cloud insider” threat, malicious snapshotting of virtual disks and cloud hijacking are all new risks associated with the cloud. As a result, creating and maintaining an encryption policy and using encrypted cloud storage become must-have items in the cloud (we’ve discussed the new cloud security threats in depth in this blog). […]

Speak Your Mind