Data security is one of the key features of new data protection laws, such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). To help drive compliance, you should consider a range of appropriate technical and organizational measures to help protect against breaches of privacy.
Many entities start with encryption of data, both at rest and in transit, as it is a well-known security measure that can be highly effective and relatively straightforward to implement.
However, data is becoming more distributed than ever before—across different types of storage services in complex multi-cloud deployments—making data governance more complicated than ever. It's essential you understand where that data is located and the storage encryption options available to protect it, especially when it comes to personal data.
This post gives an overview of the cloud storage encryption options available for block-level volumes and object storage services of the three leading public cloud platforms—Amazon Web Services, Microsoft Azure, and Google Cloud Platform. It also runs through some of the tools they offer to help you track down unprotected sensitive data in your cloud deployments.
Amazon Web Services
Amazon EBS Encryption and Security
Amazon EBS, the persistent attached storage option for EC2 instances, supports encryption to the industry-standard AES-256 specification across its full range of volume types. EBS performs encryption operations on the servers that host your EC2 instances on AWS. Encryption at rest and in transit is ensured this way for all the data.
Encryption and decryption are handled seamlessly without the need for your own key management infrastructure. Encrypted EBS volumes also enjoy the same level of performance as unencrypted volumes and you access them in just the same way as unencrypted volumes.
So, with no degradation in performance and no additional management overhead, it may make sense to encrypt all EBS volumes from the outset—whether they store personal data or not.
Amazon helps by allowing you to configure your account to encrypt all new volumes and snapshots you create. However, it doesn't provide a quick and simple method of encrypting an existing unencrypted volume.
Moreover, not all instance types support EBS storage encryption. If encryption is a key component to your privacy compliance program, it may be important to prioritize your EBS storage encryption strategy by establishing which volumes store personal data and encrypting them first.
You can encrypt data on Amazon's web-based object storage service by either of the following two methods:
- Client-Side Encryption: Where you encrypt data on your own server before saving it to an S3 bucket. One of the benefits of this method is that your data is encrypted when it’s in transit, even if it is transited over an insecure network.
Client-side encryption can also enhance security by keeping your encryption keys in a different physical location from your data. However, you'll be responsible for managing the encryption process and keeping your keys secure, and processing functionality and speed may be impacted.
- Server-Side Encryption: Where Amazon encrypts objects (using AES-256) before storing them to S3 and decrypts them whenever you access them. To ensure your data is protected in transit you should use a website secured by appropriate security protocol, such as SSL/TLS—or you could use server-side encryption in conjunction with client-side encryption.
Whatever method of encryption you choose, Amazon offers different levels of key management autonomy that give you different levels of protection.
Compliance and Security Tools
Amazon Macie is AWS’s in-house data privacy tool, which uses machine learning and pattern matching techniques to identify and classify sensitive data, such as names, addresses and credit card numbers, However, the service can currently only scan data on Amazon S3.
You can monitor the encryption status of EBS volumes and S3 buckets by benchmarking your resources against predefined or custom encryption rules using AWS Config.
Azure Disk Encryption and Security
Now let’s take a look at Azure storage encryption. Azure Disks are block-level storage volumes designed for use with Azure Virtual Machines. They are available in two different service models, Managed Disks and Unmanaged Disks, which are both stored in Azure Blob Storage as Page Blobs.
Azure recommends you use Managed Disks, as they are automatically encrypted with server-side encryption using platform managed keys. Alternatively, you can manage your own keys stored in Azure Key Vault. As an additional safeguard, Azure prevents you from disabling encryption. Furthermore, all managed snapshots and images are also encrypted.
By contrast, with Unmanaged Disks, you're fully responsible for your own data encryption and any potential misconfiguration that could arise. Managed Disks also support Azure Disk Encryption, which uses OS-based encryption to protect data in transit between your data disks and the in-memory environment of your virtual machines.
Azure Blob storage, which includes block blobs, append blobs and page blobs, is Microsoft Azure's object-based storage solution designed for large amounts of unstructured data.
Azure encryption at rest is performed automatically to the AES-256 specification without any degradation in performance. Decryption and encryption are performed seamlessly on your behalf as your applications read and write data from and to storage.
By default, the vendor uses its own Microsoft-managed keys. But, for organizations that require more control, it's also possible to supply your own customer-managed keys—which, as with Managed Disks, must be stored in Azure Key Vault.
To protect data in transit, Azure generally recommends using SSL/TLS protocols when exchanging data. However, the most appropriate solution depends on your specific needs.
For example, you may consider using VPN Gateway for data transfer over the public internet between your Azure cloud and on-premises data center. Or you may want to use client-side encryption to encrypt your data before storing it to your blobs. That way, it's automatically protected as it travels across your network.
Compliance and Security Tools
Microsoft currently doesn't offer an in-house tool for identifying sensitive data on Azure Disks and other forms of blob storage.
However, Azure Security Center will alert you to virtual machines that aren't encrypted. This can help towards the protection of personal data in transit by showing you where you may need to deploy Azure Disk Encryption.
Google Cloud Platform
Google Cloud Platform automatically solves your encryption headaches for you by encrypting all of your data, at rest and in transit, across its services by default.
This includes both the vendor's block-level storage service Persistent Disk, which is used by Compute Engine, and its object storage service Cloud Storage.
Persistent Disk Encryption and Security
Google Cloud encryption for Persistent disk, like elsewhere on Google Cloud Platform, encrypts data at the storage level using the AES-256 cipher. However, a small number of Persistent Disks, which were created before 2015, use AES-128.
Compute Engine defaults to server-side encryption (SSE) using Google-managed keys to protect your data at rest. You can also use Cloud Key Management Service (KMS) to provide your own encryption keys. However, you can only use your own keys to encrypt new persistent disks.
Google uses each of your keys as a Key Encryption Key (KEK) to protect its own vendor-generated keys, which are still used to encrypt and decrypt your data. This can provide a useful layer of additional protection.
Google Cloud Storage
Cloud Storage adopts much the same approach to protecting your data as Persistent Disk, using Google-managed server-side encryption as the standard hardening behavior.
But, additionally for Cloud Storage, you'll need to use SSL/TLS to protect your data in transit over the Internet during read and write operations.
Alternatively, client-side encryption offers a way to protect your data in transit. But, again, this comes with the added responsibility of managing and securing your own keys.
Cloud Storage has no way of knowing whether you've already encrypted your data or not. So, when it receives your data, it encrypts it a second time before writing it to storage.
Compliance and Security Tools
Cloud Data Loss Prevention (DLP) is Google's flagship data protection and compliance tool that discovers, classifies and deidentifies sensitive data in your Google cloud deployments.
The tool uses machine learning to classify data using more than 120 predefined information types. It can then mask or tokenize sensitive information so you can leverage it in use cases such as big data analytics—with a lower risk of repurposing personal information in violation of privacy requirements.
Cloud DLP natively scans data in Cloud Storage and features a streaming content API that allows you to analyze data from custom workloads and sources.
The leading cloud platforms provide you with the encryption features you need to safeguard the personal data you store in your cloud-based deployments. They also give you access to tools that can aid compliance by discovering sensitive data and alerting you to unencrypted resources.
However, they're not a silver bullet. They are vendor specific. Yet more and more enterprises are adopting a multi-cloud strategy, distributing their data across a range of on-premises and cloud-based environments. This can involve more complex encryption configuration and present challenges to visibility into your data.
Many third-party privacy compliance tools, on the other hand, are able to scan data on a variety of vendor platforms and deliver their findings through a single pane of glass.
As a result, they can make the process of compliance much simpler. So much so that virtually anyone can use them—whether legal, technical or compliance teams. But, above all, they are specifically designed to aid compliance and therefore include a whole host of other features to help you remain on the right side of the law.
With NetApp Cloud Data Sense, you can gain an additional tool to help address your data governance concerns when it comes to managing the private data that you store. Cloud Data Sense maps data throughout your storage environments and uses a context-aware AI to determine and report on which data is personal and should remain private.
To find out more, try a free 1 TB trial of Cloud Data Sense today.