Tag Archives: agency for science

Thanks for the cloud security control, encryption!

To say the cloud is commonplace in IT would be a gross understatement. Cloud-enabled services have permeated every aspect of the industry—from music streaming to live backups. But securing the cloud has been a challenge up to this point, one that many businesses leave to the cloud service provider to take care of.

Sure, you can say, “Amazon should take care of security for me.” And, sure, a company like Amazon will take a certain degree of precautions when it comes to securing the cloud infrastructure it maintains—they’ve got a reputation to maintain and more cloud services to sell. You can be confident that for Amazon or any standard cloud service provider, the servers your systems run on will be in locked rooms with limited physical access. Fortunately, the law requires they do so if they want to be allowed to legally store sensitive data, like financial or medical information.

Are you safe in the cloud?

We’re willing to bet that a rudimentary level of digital security is in place for your average CSP. A basic firewall and a modern password-protected login system to gain access to the dashboard are pretty safe expectations. The bad news is that your CSP has limited responsibility past that, since you’re free to do what you please with the equipment. Ensuring a basic level of security that complies with the laws and regulations of their home country means they’re able to service a larger amount of the population.

When a business is storing mission-critical backups and data online, securing the cloud becomes a high priority. Loading up workloads, installing software, or granting access to an entire business-worth of users opens up your cloud to new attacks that IT will have to defend. If you’re groaning and thinking this is a difficult task, you’re not wrong. There are so many elements of the equation that IT just can’t control, like a breach into the CSP’s system.

Apple’s iCloud is a great example of this. Recently, a breach through the iCloud API allowed hackers to make unlimited attempts on victims’ passwords, which resulted in the infamous leak of hundreds of private celebrity photos. Amazon isn’t safe from hacks either, fighting an ongoing battle to reduce the number of attack surfaces every day. Attacks against Amazon can knock out not only your business, but entire chunks of the internet for their duration. In severe cases, it could wipe out your company entirely.

Securing the cloud with encryption

So what is an administrator to do against such a threat? Singapore’s Agency for Science, Technology and Research (A*STAR) has developed a way to control access to cloud data through encryption.

“Cloud storage services make data storage and sharing more efficient and cost-effective, but their use requires trust in the cloud’s security,” explains Jianying Zhou. “We wanted to find a way to ease the security concerns by creating a system that does not require the data owner to trust the cloud service or assume perfect protection against hacking.”

Their solution allows access to an individual file hosted in the cloud that can be issued or revoked in real time, eliminating the possibility that the files can be accessed offline. “The file owner, Alice, generates the proxy keys, which define who can decrypt the file [for example, Bob] and gives them to the cloud server,” explained Zhou. “When Bob wants to access the encrypted file in the cloud, the cloud server needs to first decrypt the file for Bob using the proxy key as well as the cloud server’s private key. This results in an intermediate decryption that the cloud server passes to Bob. He then uses his private key to decrypt the file to get the plaintext file. If Alice wants to revoke Bob’s access, she simply informs the cloud server to remove his proxy key.”

This way, the owner of the data retains control of their cloud-based infrastructure—the true dream for ITDMs. The decryption process is lightweight and can be done with any average smartphone or laptop, provided you’ve been given the key and are authorized to access the service.

IT can secure the cloud without really securing “the cloud.” With this process, they ensure their sensitive data within the cloud is secure. The infrastructure itself may be vulnerable to attack, but you’ve cut the potential damage done in half.