Data Encryption
Cloud Infrastructure Security Series #4. 🛅 Data Encryption
In the original post we defined steps to implement a bullet-proof Cloud Infrastructure Security Posture. Now it’s time to dive into the topic of 🛅 Data Encryption.
❓ How would you approach the implementation of the following?
– Create and Manage a Set of Encryption Keys;
– Encrypt Data at All Levels (Storage, Databases) – “At-Rest encryption”;
– Encrypt Data Transmission with SSL/TLS Certificates – “In-Transit encryption”.
💪 Here is how, in just 6 (simple? well…maybe not, but still not bad!) steps:
1. Open the Encryption Key Management Service administrative console on your Cloud Provider (such as KMS in AWS, Cloud KMS in GCP, Key Vault in MS Azure), and create dedicated encryption keys for:
– cloud storage encryption (general)
– cloud storage encryption (sensitive data)
– database encryption (one per DB)
– log records encryption (it would be a good idea to create separate keys for different log groups based on data sensitivity)
– data backups
2. Create IAM policies to allow authorized services (cloud storage, database, backup) and principals (users, hosts, applications) to access their respective encryption Keys, so they can Encrypt and Decrypt the data. Follow principle of Least Privilege, and avoid granting Decrypt permission where the principal only needs the Encrypt permission, and vice versa.
3. Reconfigure Cloud Storage, Databases, Disk Volumes, Backup Service, Logging services to apply data encryption. For databases and disk volumes, all data will be re-encrypted; for Cloud Storage and Logging service chances are that only the newly ingested data will be encrypted. It is still WAY better than no encryption, though!
4. Configure periodic rotation of Key Material in your Encryption Keys. This adds some costs, but also leads to better security of your data.
5. Make sure to grant administrative Key Management permissions to the small group of trusted individuals in your organization. Perform periodic review of their access permissions to always be sure that Key Management stays in good hands.
6. To protect data transmission:
– if other protocols than HTTP are used to transfer data in the organization, set up a 2-tier PKI infrastructure, or use a managed service provided by your CSP, to ensure the proper management of the security certificates;
– issue separate TLS certificate per endpoint
– acquire trusted SSL certificates for all HTTP (web) endpoints
– apply SSL / TLS certificates to all load balancers, and all web, and network endpoints. Leave No endpoint unattended.
Sleep well.
See anything missing?