Last week, we tackled the basics of monitoring your AWS deployment. This week we’re going to shift gears and take a look at encryption.
Your business runs on data and information. One of the biggest concerns about moving to the public cloud is the safety of that data. With a little due diligence, you can put those concerns to bed.
There are three key steps to protections your data in the cloud:
You can’t take steps to protect your data until you understand what you have, what it’s worth to you and your customers, and where it’s stored and processed.
Looking at your network, what type of customer data do you store? Any intellectual property that gives you a competitive advantage? Access credentials for your systems?
Start by taking an inventory of your data.
Now, go through that inventory and try to prioritze the data. How important is it to your customers? Your business operations? Your reputation? You don’t need hard values for the data, just a rough idea of what’s important to your business.
Once you have that list, track down where and how you store that data and where it is processed. These are the areas you should focus on securing first.
How you protect your data at rest depends heavily on where you store it. If you’re storing your data as files on a drive, you can either encrypt the entire drive or encrypt file-by-file. If your data is stored in a database, you can either encrypt the entire database or encrypt value-by-value.
In both scenarios–file or database–your choice really boils down to:
From a usability perspective, the less you need to worry about encryption for day-to-day operations, the better. This usually leads to the encryption of the underlying storage. However this can also impose a performance penalty on your deployment.
Regardless of the solution you choose, it’s important to test which ever method you choose to ensure that it meets both your security and performance requirements.
While protecting your data at rest involves some performance testing and hard decisions, protecting data in motion doesn’t. Use encrypted communication channels throughout your deployment.
Use SSL/TLS for any HTTP traffic (that’s the “S” in “HTTPS”) with a validate certificate from a trusted 3rd party1. If you’re deployment isn’t using HTTP as a transport, find the encrypted equivalent for the protocol you use.
The performance impact of an all encrypted communications channel in negligible. There is no reason not to use an encrypted transport.
Encryption can be a tricky subject to address but there’s no need to be intimidated. Take an inventory of your data, prioritize it by value. Work through the inventory applying the appropriate level of encryption to each data store in turn. Make sure that all communications within your deployment are encrypted.
Taking these simple steps will greatly increase the security of your data at rest and in motion.
What do you do to protect your sensitive data in the cloud? Please share your tips in the comments! And if you’re interested in securing your EC2 or VPC instances, check out our new Deep Security as a Service for cloud servers, currently in free Beta.
1Full disclosure, Trend Micro is in the SSL certificate business but a certificate from any trusted 3rd party will get the job done. A quick search for “SSL certificate vendors” will turn up quite a few possibilities.