This calls for a change – from protecting infrastructure to protecting the information itself.
Traditional protection methods – firewalls, endpoint protection, and different flavours of intrusion prevention systems – have relied on explicit knowledge of the infrastructure topology in order to detect and block malicious behaviour. This approach is rapidly becoming obsolete with the advent of ephemeral infrastructure, where servers, storage pools and even networks come and go at sub-minute timescales. Today, any reliance on static, infrastructure-level protection is largely hit-and-miss.
All is not lost, however. By turning our attention to the information itself, we can shift our focus back to what matters. In many ways, the currently popular so-called zero-trust architectures are a good match for protecting dynamic public cloud environments. As defined in practise by e.g. Google in their BeyondCorp and, more recently, BeyondProd concepts, access control with no reliance on a trusted network is a step in the right direction. Such approaches, however, require wholesale commitment and investment from the entire organization – something not easily attainable in real life.
For most organizations, a more grounded approach may well be to start from the other end. One such approach is transparent encryption. Essentially, this means that the information residing in public clouds is encrypted, with decryption keys allocated based on existing IAM roles. Transparent encryption differs from e.g. full disk encryption in that the file metadata remains visible to admins, allowing them to perform activities as before, while the file contents are only readable only with the correct set of keys.
This, as some readers probably have already noticed, moves the problem from protecting data access to protecting access to the keys.
There are essentially three different types of encryption schemes available for public clouds;
Whichever model of encryption is chosen, each provides reasonable assurance that only authorized users, whether human or machine, can access the protected information. For public cloud environments, the use of a proper encryption regime can also be automatically enforced in policies across all deployed assets.
As computing and storage assets and even entire infrastructures become more dynamic, with lifetimes ranging from milliseconds to hours, information protection must move closer to the information itself. A well-designed encryption regime offers several benefits over traditional infrastructure-based controls. It also provides a perfect stepping stone towards zero-trust architectures, should that be the future direction of your organization.
Rasa is a Senior Product Manager at Security Services. He has worked with various security, encryption and key management technologies for two decades and has extensive experience in protecting critical digital assets. He has previously held security-related positions in companies such as SSH Communications Security, SafeNet, AuthenTec, and INSIDE Secure.