Cryptography

In today’s digital world, even with the utmost efforts to safeguard data, there remains a risk of losing control, especially when data is transmitted over the internet. To mitigate this risk, one effective method is encryption. By encrypting data, it becomes incomprehensible and unusable to unauthorized parties who lack the means to decrypt it.

Note

Cryptography is a comprehensive and well-covered subject in numerous cybersecurity books. To maintain a focus on the topics of cloud security, this book will only address its crucial and pertinent aspects in the context of cloud environments.

Cryptography is the science and practice of securing information by converting it into a secret code, making it unreadable and unusable to unauthorized parties. It plays a crucial role in ensuring data confidentiality, integrity, authentication, and non-repudiation, making it a fundamental tool for protecting sensitive information and communication in various digital systems, including computer networks, cloud computing, and online transactions.

Encryption

Encryption is a specific process within the field of cryptography. It is the technique of converting plaintext data into ciphertext using cryptographic algorithms and keys. The purpose of encryption is to protect data during transmission or storage by making it unreadable and unintelligible to unauthorized individuals or entities.

Encryption is pure mathematics. There is a defined complex method/formula to encrypt messages and decrypt those messages; you should have the same method or formula to decrypt them. Over time, encryption has achieved complexity due to attackers continuing to find ways to decrypt messages.

There are two different types of encryption: symmetric and asymmetric.

In symmetric encryption, the same secret key is used for both encrypting and decrypting data. This means that both the sender and the receiver need to possess the same secret key to securely communicate and exchange information:

Figure 1.9 – Symmetric encryption (https://binarycoders.files.wordpress.com/2020/07/01_symetric_encryption.png?w=1024)

Asymmetric encryption, also known as public-key encryption, is a cryptographic technique that uses a pair of keys (public key and private key) for secure communication and data exchange. The public key is used for encryption, while the private key is used for decryption:

Figure 1.10 – Asymmetric encryption (http://www.giuseppeurso.eu/wp-content/uploads/2014/11/giuseppe-urso-asymmetric-key-encryption-in-java-03.png)

Let’s look at how asymmetric encryption works:

• Key generation: A user generates a key pair consisting of a public key and a corresponding private key. The public key is made openly available, while the private key is kept secret.
• Encryption: If someone wants to send a confidential message to the key pair owner, they use the recipient’s public key to encrypt the message.
• Decryption: Only the recipient who possesses the corresponding private key can decrypt the encrypted message that was sent to them using their public key.

The security of asymmetric encryption relies on the mathematical properties that make it computationally infeasible to derive the private key from the public key. As a result, the public key can be freely shared with others for encryption purposes, while the private key remains securely held by its owner for decryption. This makes asymmetric encryption a fundamental component of secure communication, digital signatures, and authentication in various applications, such as secure web browsing (HTTPS), email encryption, and digital certificates. Now that you understand the different types of encryption, let us understand another important concept: encrypting data in different stages.

Encrypting data in different stages

Data can be classified into different stages based on its level of activity or usage. The three main stages of data are data at rest, data in transit, and data in use. Encryption is a crucial technique that’s used to protect data in these states:

• Data at rest: Data at rest refers to data that is stored on storage devices, such as hard drives, databases, or cloud servers, when it is not actively in use or being transmitted. Encryption at rest ensures that even if someone gains physical or unauthorized access to the storage medium, they won’t be able to read or understand the data without the appropriate decryption key. For example, when you store sensitive files on your computer’s hard drive, encrypting the files will protect them from unauthorized access if your device is lost or stolen.
• Data in transit: Data in transit refers to data that is being transmitted over networks between different devices or systems. Encryption in transit ensures that data is secured while it is moving from one location to another, preventing interception or eavesdropping by unauthorized parties. Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols are commonly used for encrypting data during its transmission over the internet. For example, when you access a website using HTTPS, the data that’s exchanged between your browser and the website’s server is encrypted in transit.
• Data in use: Data in use refers to data that is actively being processed or accessed by an application or user. Encryption at this stage involves protecting the data while it is being used to prevent unauthorized access or disclosure. This can be achieved using techniques such as memory encryption or secure enclaves. For example, when you open a password-protected document, the data in the document is decrypted in memory for you to view and edit it. When you close the document or log out, the data is encrypted back in memory to protect it from potential unauthorized access.

Now that we have briefly covered encryption, let’s understand the importance of encryption in the context of a cloud environment.

Importance of encryption for a multi-cloud hybrid environment

The importance of encryption in securing the cloud cannot be overstated. Encryption plays a vital role in ensuring the confidentiality, integrity, and privacy of sensitive data and communication within cloud environments. Here’s why encryption is essential for cloud security:

• Data confidentiality: Encryption ensures that sensitive data stored in the cloud remains unreadable to unauthorized parties. Even if a security breach occurs, encrypted data appears as ciphertext, protecting it from exposure and misuse.
• Secure communication: When data is transmitted between cloud services and users, encryption guarantees secure communication. It prevents interception and eavesdropping, ensuring that sensitive information remains private during transit.
• Data integrity: Cryptographic techniques, such as digital signatures and hash functions, verify data integrity in the cloud. This prevents unauthorized modification or data tampering, maintaining its accuracy and reliability.
• Access control: Encryption enables robust access control in the cloud. By encrypting data and managing cryptographic keys effectively, cloud providers can enforce access restrictions, ensuring that data is accessible only to authorized personnel.
• Regulatory compliance: Many industries are subject to data protection regulations that require the use of strong cryptographic measures. By employing encryption, cloud providers can comply with these regulations and safeguard sensitive data.
• User authentication: Cryptographic mechanisms such as digital certificates and public key infrastructure (PKI) facilitate secure user authentication in the cloud. This ensures that users and services are legitimate and authorized to access cloud resources.
• Key management: Cloud environments involve managing a vast number of cryptographic keys for different purposes. Proper key management is essential for maintaining the security of encrypted data and protecting against unauthorized access.
• Multi-tenancy security: In a cloud environment, multiple users and organizations share the same infrastructure. Cryptography helps ensure that data from different tenants remains isolated and inaccessible to others, even if they share the same physical resources.
• Data residency and sovereignty: Encryption helps maintain data residency and sovereignty. Data can be encrypted in such a way that it remains unreadable to unauthorized entities, even if it’s stored in different jurisdictions or countries.
• Data sharing and collaboration: With encryption, cloud users can securely share and collaborate on sensitive data with other authorized users or organizations without the risk of exposing the data to unauthorized parties.

Overall, encryption provides a critical layer of protection for cloud data and services.

Now, let’s understand how encryption is achieved in cloud environments.

Encryption in cloud environments

In cloud environments, responsibility for encryption is typically shared between the cloud service provider and the customer. The cloud service provider is responsible for providing the underlying infrastructure and tools to enable encryption, while the customer is responsible for implementing encryption practices for their data and managing access to the encryption keys.

Encryption in a cloud environment can be achieved through a multi-step process that involves various responsibilities and tools. A cloud customer must understand these points. Let’s break down the process:

1. Data classification and encryption strategy: The customer is responsible for classifying their data based on sensitivity and compliance requirements. They need to determine what data needs to be encrypted and what encryption algorithms to use. No specific tool is involved in this step. It’s more of a policy and decision-making process.
2. Data encryption: The customer is responsible for encrypting their data before sending it to the cloud or storing it in the cloud service. Various encryption libraries and tools are available for data encryption, such as OpenSSL and HashiCorp Vault, as well as cloud provider-specific encryption via a software development kit (SDK).
3. Key generation and management: The cloud service provider is responsible for providing a Key Management Service (KMS) that allows customers to create and manage encryption keys securely. Cloud service providers offer their own KMSs, including AWS KMS, Azure Key Vault, and Google Cloud KMS.
4. Customer Master Key (CMK) creation and protection: The customer is responsible for creating and managing their CMKs within the cloud provider’s KMS. CMKs are used to protect and control access to data encryption keys. The KMS provided by the cloud service provider is used to create and manage CMKs.
5. Data upload and storage: The cloud service provider is responsible for securely receiving and storing encrypted data. No specific tool is involved here. The cloud provider’s storage infrastructure handles the encrypted data.
6. Data retrieval and decryption: The customer is responsible for retrieving the encrypted data from the cloud and decrypting it using the appropriate Data Encryption Key (DEK), which is decrypted using the CMK. The decryption process is performed using encryption libraries or tools, along with the cloud provider’s KMS to retrieve and use the necessary keys.
7. Key rotation and life cycle management: The customer is responsible for regularly rotating encryption keys and managing their life cycle to minimize the risk of unauthorized access. The cloud provider’s KMS offers APIs and tools to facilitate key rotation and life cycle management.
8. Monitoring and auditing: Both the cloud service provider and the customer share the responsibility of monitoring and auditing encryption-related activities to detect and respond to security incidents or unauthorized access. CSPM tools provide the visibility of risk associated with keys.

In summary, encryption in the cloud involves collaboration between the cloud service provider and the customer. The customer is responsible for data classification, encryption, key management, and data decryption, while the cloud provider is responsible for providing a secure KMS and ensuring the secure storage and retrieval of encrypted data. Various encryption libraries, KMSs, and CSPM tools play crucial roles in achieving a robust encryption process in the cloud environment.

Now that you have a fundamental understanding of encryption and its relevance in cloud environments, let us understand another important topic: the Cloud Adoption Framework (CAF). This is one of the most important topics for organizations planning to adopt the cloud for their infrastructure.