Why Even Your Confidential Data Is - By Far - Safest in AWS
Every organisation handles confidential data. There are different priority levels for different types of data. Some data is top priority, and needs encryption. This includes data like user IDs, financial data, location tracking data, and data protected by agreements. Let’s discuss how AWS—the leading cloud vendor—handles data encryption, and how it compares with more traditional methods of data encryption.
If you’ve handled confidential data for many years, you likely have a mature data encryption process set up. However, many organisations believe the myth that the cloud is not secure enough to host your most confidential data. As a result, many have resorted to moving most of their data to the cloud, but keep confidential data on private servers managed by security processes that were implemented a decade ago.
Let’s look at what a typical data encryption process looks like.
The data encryption process
In cryptography (the science of solving codes), unencrypted data is also called plaintext data. If you want to encrypt your plaintext data, you add a key to it. After encryption, your data is in the form of cipher text. This cipher text can be accessed only by authorised users that have the key that was used to encrypt the plaintext data.
When an authorised user inputs the key, the data is decrypted back to plaintext, and is accessible to the user.
The most important step in encryption is to ensure that the key is securely stored and accessed by the right people. This requires you to encrypt the key as well. You could go on and on encrypting each consecutive key, and the last key you end up with is the master key. The encrypted data can be stored in memory when in use by an app, or on disk when not in use. It is critical to encrypt data not just when it is transferred across the network, but even when at rest.
You can encrypt data at any level—rows or columns in a database, files, or volumes of storage. For example, you can encrypt particular rows of data with a key, then encrypt the entire file with a key, then encrypt a group of files with another key, and finally use a master key to encrypt all groups of files (you get the idea).
This approach has two benefits. First, if by chance a key for a particular row is compromised, it limits the blast radius to just that row, and keeps the rest of the data safe. Second, you can control who has access to your data by sharing keys at specific levels to appropriate people.
While key management used to be restricted to just on-premises servers, today the cloud has robust security solutions. If you’re moving critical data to the cloud, AWS is the safest place for that data. It can not just rival but outperform any encryption you can plan in your data center.
How AWS handles data encryption
At the heart of AWS’ data encryption service is KMS, a cloud-based key management service that you can control from right within your IAM console. It lets you encrypt your data in many ways.
Server-side encryption
This is the completely cloud-centric option where you send AWS all the data you’d like to have encrypted. Your data can be stored in S3, EBS, or any of the storage solutions from AWS. You can either automate the encryption, or log into KMS and manually set up the encryption. Server-side encryption is the easiest, as it leverages AWS’ expertise in data encryption, leaving very little for you to do.
Client-side encryption
In this approach, you handle the data encryption and key management, and simply use AWS S3, or a similar AWS storage solution, as ‘dumb’ storage to host all your encrypted data. It works by installing an AWS SDK agent that transfers encrypted data from your servers to AWS storage. This comes with the added workload of managing the encryption yourself, but the upside is that you have more control over how your data is encrypted. For maximum control, however, you need to go a step further.
AWS CloudHSM
With this service, you rent a dedicated hardware device which you use to manage your keys and encryption process. AWS manages the hardware device, but does not have access to your keys. You create, store, and distribute your keys in a way that can meet security and compliance norms.
The AWS CloudHSM service allows you to protect your encryption keys within HSMs (Hardware Security Modules) designed and validated to government standards for secure key management. You can securely generate, store, and manage the cryptographic keys used for data encryption such that they are accessible only by you. AWS CloudHSM helps you comply with strict key management requirements without sacrificing application performance.
Why choose AWS for encryption?
So, why should you choose AWS over a physical server in your data center? Let’s look at a few reasons:
Flexibility
With client-side, server-side, and CloudHSM methods, AWS has thought through every use case for data encryption. Every company is different in how much they trust third-party services and cloud computing, but wherever you fall along the spectrum, AWS has a solution for you. This variety shows that AWS is serious about security.
They have an enormous team of crack cryptographers
This is one of the biggest reasons to go with AWS for your security needs. Building a security team is a concentrated effort that spans years, costs millions of dollars, and that is still liable to fail in the face of an attack. By relying on the leading cloud platform, you can leverage the talent of some of the top cryptographers in the world as they devise solutions to security threats that organisations just like yours face on a daily basis.
Whether it’s preventing DDoS attacks, spotting suspicious user behaviour, or vulnerabilities at various points across the system, AWS’ engineers would be ahead of any security team any other organisation can put together—and the best part is that you can afford these expert services at a fraction of the cost it would take to hire them yourself.
Third-party service providers
Finally, AWS has made it frictionless to make the move to its platform by partnering with many third-party security consulting companies like TrendMicro, SafeNet, and VorMetric. It’s likely that your existing security vendor can help you migrate to AWS, and you can continue using their services.
AWS is the safest place for your data
AWS has made it a no-brainer to use its cloud platform for data encryption and security.
It offers flexible methods to suit every need. With constant innovation, and the best cryptography team in the industry, you can mitigate the risk of trial and error on your part, and confidently leverage AWS’ security solutions.
And that’s why companies such as Netflix, Time Inc. and The Guardian have gone “all-in” with AWS, managing nothing on-premises.
There’s simply no way that any company can leverage the same ROI on investing in security that AWS can - and does. AWS has as much - if not more - interest than you in the robustness of its infrastructure and the invulnerability of its data centres. Even for your most confidential data.
In an enterprise undergoing digital transformation, change is introduced at ever greater speed and scale. This requires new ways of managing security and compliance.
Join our AWS practice lead, Brendan Foxen, as he talks through 6 classic ways to manage security at speed and scale in the enterprise.