Data Security in Cloud — Securing AWS and Azure data
Data security in the cloud can be classified into two broad categories:
- Protecting data at rest
- Protecting data in transit
Data security has many components that help in securing data in multiple ways; I will walk through the major components available with both AWS and Azure
Before going in deep, we should understand the concept of encryption and decryption
Data encryption is a method of protecting data confidentiality by converting it to encoded information, called ciphertext, that can only be decoded with a unique decryption key, generated either at the time of encryption or beforehand.
Data encryption can be used during data in transmission or with stored in cloud services like database, File system and typically used in conjunction with authentication services to ensure that keys are only provided to, or used by, authorized users.
Components in Data Encryption and Decryption
- Data to be encrypted/Decrypted
- Encryption/Decryption Algorithm
AWS and Azure are using Advanced Encryption Standard (AES) encryption predominantly, however both are using different encryption methods at their services level
Symmetric vs Asymmetric Encryption
The type of encryption used depends on how data is intended to be accessed and by whom.
Private encryption key (symmetric)
- Symmetric uses a private key for encryption and decryption.
- Faster method than asymmetric encryption and is best used by individuals or within closed systems, but less secured while using in transmission
- The most commonly used type of symmetric encryption is AES.
Public encryption key (asymmetric)
- Asymmetric encryption uses paired public and private keys that are mathematically linked and can only be used together.
- Either key can be used to encrypt data but the paired key must be used to decrypt it.
- More secured and most commonly used types of asymmetric encryption are ElGamal, RSA, DSA, and PKCS.
Data Encryption Standards
There are numerous data encryption algorithms to choose from, depending on the use case, but the ones most frequently used are:
Triple DES (3DES or TDES)
- Uses DES algorithm and can be run with a single key, two keys, or three different keys with increasing security.
- 3DES uses a block cipher method, making it vulnerable to attacks such as block collision.
- One of the first public-key algorithms and uses one-way asymmetric encryption.
- RSA is popular due to its long key length and is used widely throughout the Internet.
- It is part of many security protocols, like SSH, OpenPGP, S/MIME, and SSL/TLS, and is used by browsers to create secure connections over insecure networks.
Elliptic Curve Cryptography (ECC)
The Advanced Encryption Standard (AES)
AES is a symmetric-key algorithm that uses block cipher methods and available in 128, 192, and 256bit sizes. It was built for easy implementation in both hardware and software
AWS Securing data at rest
AWS provides several options for encrypting data at rest including fully automated and fully managed AWS encryption solutions, manual encryption solutions, client-side encryption, and so on.
The S3 is one of the major and most commonly used storage services in the AWS platform. It supports a wide range of use cases such as file storage, archival records, disaster recovery, website hosting, and so on. The S3 provides multiple features to protect your data such as encryption, MFA, versioning, access control policies, cross-region replication, and so on.
The S3 provides server-side encryption feature for encrypting user data. AWS manages the master key used for this encryption and ensures that this key is rotated on a regular basis. AWS generates a unique encryption key for each object and then encrypts the object using AES-256. The encryption key then encrypts itself using AES-256, with a master key that is stored in a secure location
The AWS also supports client-side encryption where encryption keys are created and managed by you. Data is encrypted by your applications before it is submitted to AWS for storage and the data is decrypted after it is received from the AWS services. The data is stored in the AWS service in an encrypted form and AWS has no knowledge of encryption algorithms or keys used to encrypt this data. You can also use either symmetric or asymmetric keys along with any encryption algorithm for client-side encryption. AWS provided Java SDK, offers client-side encryption features for Amazon S3.
Amazon EBS is an abstract block storage service providing persistent block level storage volumes. These volumes are attached to Amazon Elastic Compute Cloud (EC2) instances.
You can encrypt both the boot and data volumes of an EC2 instance.
Protect data at rest, stored in EBS volumes that are attached to an EC2 instance Replication
AWS stores each EBS volume as a file and creates two copies of this volume in the same availability zone and provides redundancy against hardware failure
You can create snapshots for your EBS volumes to get point in time copies of your data stored in EBS volume. These snapshots are stored in AWS S3 so they provide the same durability as any other object stored in S3.
Amazon RDS enables you to encrypt your data for EBS volumes, snapshots, read replicas and automated backups of your RDS instances. One of the benefits of working with RDS is that you do not have to write any decryption algorithm to decrypt your encrypted data stored in RDS. This process of decryption is handled by Amazon RDS
AWS uses AES-256 for encrypting each Amazon Glacier archive and generates separate unique encryption keys for each of these archives. By default, all data stored on Amazon Glacier is protected using the server-side encryption. The encryption key is then encrypted itself by using the AES-256 with a master key. This master key is rotated regularly and stored in a secure location.
Amazon DynamoDB can be used without adding protection. However, for additional protection, you can also implement a data encryption layer over the standard DynamoDB service. DynamoDB supports number, string, and raw binary data type formats. When storing encrypted fields in DynamoDB, it is a best practice to use raw binary fields or Base64-encoded string fields
Amazon EMR is a managed Hadoop Framework service in the cloud. AWS provides the AMIs for Amazon EMR, and you can’t use custom AMIs or your own EBS volumes. Amazon EMR automatically configures Amazon EC2 firewall settings such as network access control list (ACL) and security groups for controlling network access for instances. These EMR clusters are launched in an Amazon Virtual Private Cloud (VPC).
By default, Amazon EMR instances do not encrypt data at rest. Usually, EMR clusters store data in S3 or in DynamoDB for persistent data.
Securing data in transit
Most of the web applications that are hosted on AWS will be sending data over the internet and it is imperative to protect data in transit. This transit will involve network traffic between clients and servers, and network traffic between servers. So data in transit needs to be protected at the network layer and the session layer
AWS services provide IPSec and SSL/TLS support for securing data in transit. An IPSec protocol extends the IP protocol stack primarily for the network layer and allows applications on the upper layers to communicate securely without modification. The SSL/TLS, however, operates at the session layer. The Transport Layer Security (TLS) is a standard set of protocols for securing communications over a network. TLS has evolved from Secure Sockets Layer (SSL) and is considered to be a more refined system.
AWS Key Management Infrastructure (KMI)
AWS offers different key management services for both data at rest and data in transit
AWS KMS is a fully managed service that supports encryption for your data at rest and data in transit while working with AWS services. AWS KMS lets you create and manage keys that are used to encrypt your data. It provides a fully managed and highly available key storage, management and auditing solution that can be used to encrypt data across AWS services as well as to encrypt data within your applications. It is low cost as default keys are stored in your account at no charge — you pay for key usage and for creating any additional master keys.
AWS and AWS partners offer various options such as AWS KMS to protect your data in AWS. However, due to contractual, regulatory compliance, or corporate requirements for security of an application or sensitive data, you might need additional protection.
AWS CloudHSM is a cloud-based dedicated, single-tenant HSM allowing you to include secure key storage and high-performance crypto operations to your applications on the AWS platform. It enables you to securely generate, store, manage, and protect encryption keys in a way that these keys are accessible only by you or authorized users that only you specify and no one else.
AWS CloudHSM is a fully managed service that takes care of administrative, timeconsuming tasks such as backups, software updates, hardware provisioning, and high availability by automating these tasks. However, AWS does not have any access to configure, create, manage, or use your CloudHSM. You can quickly scale by adding or removing HSM capacity on-demand with no upfront costs.
An HSM is a hardware device providing secure key storage and cryptographic operations inside a tamper-proof hardware appliance.
Amazon Macie is the newest security service powered by Artificial Intelligence launched by AWS that uses machine learning to identify, categorize, and secure your sensitive data that is stored in S3 buckets. It continuously monitors your data and sends alerts when it detects an anomaly in the usage or access patterns. It uses templated Lambda functions for sending alerts, revoking unauthorized access, or resetting password policies upon detecting suspicious behavior.
Like AWS, Azure also provides different encryption methods for data In transit and at rest. Also provides its own Key management services
Encryption of data at rest
Microsoft Azure offers a variety of data storage solutions to meet different needs, including file, disk, blob, and table storage. Microsoft also provides encryption to protect Azure SQL Database, Azure Cosmos DB, and Azure Data Lake.
Azure encryption models
Azure supports various encryption models, including server-side encryption that uses service-managed keys, customer-managed keys in Key Vault, or customer-managed keys on customer-controlled hardware. With client-side encryption, you can manage and store keys on-premises or in another secure location.
Like AWS, Azure has no knowledge of encryption algorithms or keys used to encrypt client data. Also the data is encrypted by your applications before it is submitted to Azure for storage and the data is decrypted after it is received from the Azure services. The data is stored in the Azure service in an encrypted form
The three server-side encryption models offer different key management characteristics, which you can choose according to your requirements:
Service-managed keys: Provides a combination of control and convenience with low overhead.
Customer-managed keys: Gives you control over the keys, including Bring Your Own Keys (BYOK) support, or allows you to generate new ones.
Service-managed keys in customer-controlled hardware: Enables you to manage keys in your proprietary repository, outside of Microsoft control. This characteristic is called Host Your Own Key (HYOK). However, configuration is complex, and most Azure services don’t support this model.
Azure disk encryption
You can protect Windows and Linux virtual machines by using Azure disk encryption, which uses Windows BitLocker technology and Linux DM-Crypt to protect both operating system disks and data disks with full volume encryption.
Azure Storage Service Encryption
Data at rest in Azure Blob storage and Azure file shares can be encrypted in both server-side and client-side scenarios.
Azure Storage Service Encryption (SSE) can automatically encrypt data before it is stored, and it automatically decrypts the data when you retrieve it. The process is completely transparent to users. Storage Service Encryption uses 256-bit Advanced Encryption Standard (AES) encryption, which is one of the strongest block ciphers available. AES handles encryption, decryption, and key management transparently.
Transparent Data Encryption
TDE is used to encrypt SQL Server, Azure SQL Database, and Azure Synapse Analytics data files in real time, using a Database Encryption Key (DEK), which is stored in the database boot record for availability during recovery.
TDE protects data and log files, using AES and Triple Data Encryption Standard (3DES) encryption algorithms. Encryption of the database file is performed at the page level. The pages in an encrypted database are encrypted before they are written to disk and are decrypted when they’re read into memory. TDE is now enabled by default on newly created Azure SQL databases.
Always Encrypted feature
With the Always Encrypted feature in Azure SQL you can encrypt data within client applications prior to storing it in Azure SQL Database. You can also enable delegation of on-premises database administration to third parties and maintain separation between those who own and can view the data and those who manage it but should not have access to it.
Azure offers Cell-level or column-level encryption
Cosmos DB database encryption
Azure Cosmos DB is Microsoft’s globally distributed, multi-model database. User data that’s stored in Cosmos DB in non-volatile storage (solid-state drives) is encrypted by default. There are no controls to turn it on or off. Encryption at rest is implemented by using a number of security technologies, including secure key storage systems, encrypted networks, and cryptographic APIs. Encryption keys are managed by Microsoft and are rotated per Microsoft internal guidelines.
At-rest encryption in Data Lake
Azure Data Lake is an enterprise-wide repository of every type of data collected in a single place prior to any formal definition of requirements or schema. Data Lake Store supports “on by default,” transparent encryption of data at rest, which is set up during the creation of your account. By default, Azure Data Lake Store manages the keys for you, but you have the option to manage them yourself.
Three types of keys are used in encrypting and decrypting data: the Master Encryption Key (MEK), Data Encryption Key (DEK), and Block Encryption Key (BEK). The MEK is used to encrypt the DEK, which is stored on persistent media, and the BEK is derived from the DEK and the data block. If you are managing your own keys, you can rotate the MEK.
Encryption of data in transit
TLS encryption in Azure
Microsoft gives customers the ability to use Transport Layer Security (TLS) protocol to protect data when it’s traveling between the cloud services and customers. Microsoft datacenters negotiate a TLS connection with client systems that connect to Azure services. TLS provides strong authentication, message privacy, and integrity (enabling detection of message tampering, interception, and forgery), interoperability, algorithm flexibility, and ease of deployment and use.
Other In transit encryptions
HTTPS for access over console or Rest API and Shared Access Signatures ( SAS), which can be used to delegate access to Azure Storage objects, include an option to specify that only the HTTPS protocol can be used when you use Shared Access Signatures. This approach ensures that anybody who sends links with SAS tokens uses the proper protocol.
SMB encryption is turned on for a share or server, only SMB 3.0 clients are allowed to access the encrypted shares.
Azure VPN encryption
You can connect to Azure through a virtual private network that creates a secure tunnel to protect the privacy of the data being sent across the network.
Azure VPN options like Point-to-site VPNs and Site-to-site VPNs are using IPsec for secure tunneling
Key management with Key Vault
Key Vault is the Microsoft-recommended solution for managing and controlling access to encryption keys used by cloud services. Permissions to access keys can be assigned to services or to users through Azure Active Directory accounts.
Key Vault relieves organizations of the need to configure, patch, and maintain hardware security modules (HSMs) and key management software. When you use Key Vault, you maintain control. Microsoft never sees your keys, and applications don’t have direct access to them. You can also import or generate keys in HSMs
In this article, we learned the two different encryption methods and various data security provided by AWS and Azure while the data in transmission or data at provider’s environment. Key management is challenging data encryption, we should secure the master key to encrypt or decrypt data. Both AWS and Azure offers their own Key management services to encrypt your data
Create and maintain a secure cloud ecosystem by Albert Anthony and Published at Packt Publishing Ltd.
Originally published at https://www.linkedin.com.