Uncategorized

Cloud Data Storage – Encryption

KushagraMahajan cloud, Uncategorized , , , , ,

In the previous blog, I discussed three types of cloud data security threats i.e. Network Transmission Security, Data Storage Security, Data Management Security.

What is cryptography and the process of encryption and decryption?

With the increased use of internet resulted in the increased data sharing, with this increased the number of data thefts. To overcome the problem of data theft and security, the plain text must be converted to a secret text to secure it against the data thieves. Now cryptography is the “study of secret” and comprises of the encryption and decryption process. During the process of encryption, the secure key is used to convert the plain text to the cryptic text which renders the cipher text meaningless for those who do not have the secret key. Moreover, the process of decryption is converting the cipher text to the plain text with the help of that secret key. For this blog, I will not go into further details as to how the process of encryption and decryption takes place.

There are various factors that comes into play while making the decision to use cloud storage solutions. Cloud encryption is one of the most promising defense for data storage security. Many cloud providers use Advanced Encryption Standards (AES) using a key of 256 bits for encrypting data in storage. Encryption is available in two main security configurations – Client-side and Server-side. In this blog, I will focus on the data storage security aspect using cloud data encryption.

  1. Client-side data encryption
  2. Server-side data encryption

Before going into further details, I would like to share a small story that I read in a blog few days ago.

“Yed pyb k gkvu yxo nki, k gywkx mkwo kmbycc k myxcdbemdsyx csdo kxn ckg drboo wox gybusxq. Cro kcuon dro psbcd wkx, “Grkd kbo iye nysxq?” Kxxyion li dro aeocdsyx, dro psbcd wkx lkbuon, “Mkx’d iye coo drkd S’w vkisxq lbsmuc?” Xyd ckdscpson gsdr dro kxcgob, cro kcuon dro comyxn wkx grkd ro gkc nysxq. Dro comyxn wkx kxcgobon, “S’w lesvnsxq k lbsmu gkvv.” Drox, debxsxq rsc kddoxdsyx dy dro psbcd wkx, ro cksn, “Roi, iye tecd zkccon dro oxn yp dro gkvv. Iye xoon dy dkuo ypp drkd vkcd lbsmu.” Kqksx xyd ckdscpson gsdr dro kxcgob, cro kcuon dro drsbn wkx grkd ro gkc nysxq. Kxn dro wkx cksn dy rob grsvo vyyusxq ez sx dro cui, “S kw lesvnsxq dro lsqqocd mkdronbkv drsc gybvn rkc ofob uxygx.” Grsvo ro gkc cdkxnsxq drobo kxn vyyusxq ez sx dro cui dro ydrob dgy wox cdkbdon kbqesxq klyed dro obbkxd lbsmu. Dro wkx debxon dy dro psbcd dgy wox kxn cksn, “Roi qeic, nyx’d gybbi klyed drkd lbsmu. Sd’c kx sxcsno gkvv, sd gsvv qod zvkcdobon yfob kxn xy yxo gsvv ofob coo drkd lbsmu. Tecd wyfo yx dy kxydrob vkiob.” Dro wybkv yp dro cdybi sc drkd grox iye uxyg dro gryvo cicdow kxn exnobcdkxn ryg nsppoboxd zsomoc psd dyqodrob (lbsmuc, gkvvc, mkdronbkv), iye mkx snoxdspi kxn psh zbylvowc pkcdob (obbkxd lbsmu).”

Didn’t understand any of it right? Good because that’s what I wanted. Here, I used the oldest and most basic encryption algorithm i.e. Caesar Cipher which shifts the character values as per the key specified. In my case, I am using Key value as 10. Well, why don’t you try to decrypt the encrypted text with the key as 16 – Use key value 16 to decrypt the key. Click here to open the Caesar Cipher decryption tool. You will get something like this given below, the story that I wanted to share.

“Out for a walk one day, a woman came across a construction site and saw three men working. She asked the first man, “What are you doing?” Annoyed by the question, the first man barked, “Can’t you see that I’m laying bricks?” Not satisfied with the answer, she asked the second man what he was doing. The second man answered, “I’m building a brick wall.” Then, turning his attention to the first man, he said, “Hey, you just passed the end of the wall. You need to take off that last brick.” Again not satisfied with the answer, she asked the third man what he was doing. And the man said to her while looking up in the sky, “I am building the biggest cathedral this world has ever known.” While he was standing there and looking up at the sky, the other two men started arguing about the errant brick. The man turned to the first two men and said, “Hey guys, don’t worry about that brick. It’s an inside wall; it will get plastered over, and no one will ever see that brick. Just move on to another layer.”

The moral of the story is that when you know the whole system and understand how different pieces fit together (bricks, walls, cathedral), you can identify and fix problems faster (errant brick).”

The reason I shared this story is because we need to have a whole picture in mind as to what we are doing. We must know what are the strength and weaknesses of it. This would help in understanding the problem statement and fix problems to a better extent. As I will be using client-side encryption, but before further exploring client-side encryption I will discuss both the encryption models that can be used for data storage security in the cloud.

Server-side encryption

In this security configuration approach, the Cloud Storage Provider (CSP) manages both the data and encryption keys. The complexity is abstracted from the cloud user and still isolates the data. However, this approach has certain risks associated with it. Although, in this configuration data is safe from the malicious user or thieves, but the same cannot be said for the cloud service provider, who can snoop around and access data?

Client-side encryption

Here, client or the cloud user is responsible for the encryption of its data and management of keys. Many professionals recommend this approach over the server-side encryption because this model resolves the problem of data privacy and confidentiality. Cloud user knows that the CSP won’t be able to access its data without the encryption keys, and it’s the responsibility of the cloud user to maintain the privately held keys as if the keys are destroyed user won’t be able to access or retrieve the data.

The user must know as to what kind of data needs to be encrypted. Ideally, it should be the critical or sensitive data, and not all data must be encrypted.

In the next blog, I will discuss server-side and client-side encryption configuration for Amazon Public cloud model in more detail.

References

  1. Kelvin 2013. Data Stored in the Clouds: Is Server-side Encryption Enough? Symantec Official Blog. January 09, 2013. Available from: http://www.symantec.com/connect/blogs/data-stored-clouds-server-side-encryption-enough
  2. Tamimi, A.K.A. Performance analysis of Data Encryption Algorithms. Available from: http://www.cs.wustl.edu/~jain/cse567-06/ftp/encryption_perf/
  3. Spivak, R. 2015. Let’s build a web server. Part 1. March 09, 2015. Available from: https://ruslanspivak.com/lsbaws-part1/