'
STACKING UP OPEN CLOUDS | A ZDNet Multiplexer Blog What's this?

Protecting sensitive data in the cloud

Data breaches often have high remediation costs, and can cause significant damage to business reputation. With such high stakes, how can enterprises mitigate risk and keep data safe within the cloud?

While cloud adoption leads to lower infrastructure costs and greater operational efficiencies, these benefits come with inherent risks. An increasing amount of confidential corporate and client information is being stored in the cloud, and in light of recent high-profile data breaches at JPMorgan Chase , Adobe , and Target , protecting sensitive data from theft or loss should be a top priority. Such breaches often have high remediation costs, and can cause significant damage to the business' reputation. With such high stakes, how can enterprises mitigate risk and keep data safe within the cloud?

Encryption is an effective, well-established method for securing and transporting confidential data. Widely regarded as best practice, it is important to encrypt any sensitive data stored outside of an enterprise's physical environment, such as in a public or off-premises private cloud. Certain industries even require organisations to comply with specific privacy and security regulations that mandate data encryption in some circumstances.

However, intensive processing power required to encrypt and decrypt data can impact performance. Business expectations around availability and timely access to resources often force security compromises, leaving sensitive data vulnerable to attack. Intel has developed a number of hardware- and software-based solutions aimed at reducing performance bottlenecks and improving data security.

Intel AES-NI technology found in Intel Xeon processors accelerates cryptographic computation necessary for data encryption by implementing certain parts of the algorithm in hardware. Benchmarks have demonstrated that this technology offers up to tenfold increases in performance over traditional, software-only encryption mechanisms. Eliminating the need for certain software lookup tables, AES-NI also offers improved security by lowering the risk from side-channel attacks.

Also noteworthy is Intel's contributions to the open-source security suite, OpenSSL. This software provides an open-source implementation of secure transport protocols, facilitating encrypted communication channels between devices in the cloud. Software optimisations such as RSAX allow secure sessions to be initiated faster, thereby boosting the number of simultaneous connections the server can handle.

Function Stitching interleaves instructions from authentication and encryption algorithms necessary to construct secure communication channels, and allows both operations to execute simultaneously. This technique offers superior server resource utilisation, and, combined with RSAX and Intel AES-NI, can result in nearly five-fold performance improvement for secure web servers. OpenSSL is a fundamental component of Linux, so by choosing a distribution such as Red Hat Enterprise Linux, your business will be able to take advantage of Intel's enhancements.

To maintain the security and safety of electronic data in the cloud, it is important to encrypt sensitive information at every stage of its life cycle: In motion, in process, and at rest. Secure transport protocols such as TLS and SSH (SSL is no longer considered secure ) prevent the malicious interception of data (known as man-in-the-middle attacks) when moving data between client and cloud environments over unsecured networks such as the internet. Virtual Private Network (VPN) tunnels between corporate and cloud networks using IPSec protocol ensure seamless encrypted connectivity, allowing data to move securely into and out of the cloud.

Data in process refers to any data that needs to be actively accessed by an application on a server. Sensitive information such as passwords, credit cards, and social security numbers should be stored in encrypted fields within a database. At some point, this confidential data must be decrypted and processed by the application, resulting in unencrypted data being stored in server memory. In virtualised multi-tenant cloud environments, where your compute instances share the same physical hardware with other customers, virtual machine isolation and Trusted Execution Technology (Intel TXT) provided by Intel VT-enabled Xeon processors ensure that this sensitive data is protected from eavesdropping by third parties.

Finally, files stored on cloud servers or archived to cloud storage services containing sensitive corporate or personal data must be encrypted when not in use. Red Hat Enterprise Linux 7 supports full disk encryption using LUKS in additional to file-based encryption technology provided by GPG.

Safeguarding critical data as it moves through the cloud should be one of the highest priorities of every IT department. Encryption plays a fundamental role in protecting sensitive internal or customer data from theft. Employing industry-standard cryptographic software such as OpenSSL to take advantage of security-optimised, high-performance Intel hardware will ensure that your infrastructure is capable of supporting best-practice encryption techniques, keeping data safe.