Cloud Data Life Cycle Protection
Three Life-Cycle Phases
When thinking about protecting data in the cloud, there are three areas of use that security and privacy professionals need to consider: data in transit, data at rest, and data in use. While the first two areas are generally well understood, the third is consistently overlooked.
The first area, data in transit, is the most well-known and understood. The goal of protecting data in motion is to prevent a third party from eavesdropping on a conversation on the wire. Cryptographic protocols, such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS), are typically used for protecting data in motion by establishing an encrypted and authenticated channel, but the data inside the channel is typically transferred in an unencrypted state (e.g. the “payload” is in the clear).
The next key area, data at rest, is also relatively well understood. Data at rest is essentially the data that is stored persistently in some form, as a file, in a database, etc. The goal of protecting data at rest is to prevent a third party from reading the data, should they gain access to the data in its persistent form.
Data in use is, effectively, the data that has been loaded into a process and is in the memory of the program that is running. In general, this data is in the clear while being processed and is typically not protected by techniques such as the in-cloud based encryption provided by a cloud service provider.
Why? Keeping the data in use in a clear and readable form is required, by design, since the data needs to be in the clear to perform value-added functions on the data (e.g. creating reports, searching on fields, sorting lists, performing calculations, etc.).
The Security & Compliance Issue
There is a growing concern about securing data in use since new attack vectors are emerging that specifically target data in use. The recent “Heartbleed” exploit is a good example of a data in use attack. The Heartbleed attack exploited a vulnerability in OpenSSL, which allowed attackers to directly access the memory space of the affected process, leaking sensitive data in use such as usernames and passwords. Moreover, if the data in use is in the clear then it is technically feasible for a cloud service provider to “tap” the data in response to a request from a third party, such as law enforcement. This is unfortunately true even if the data is encrypted in motion and at rest using keys owned by the enterprise (not the cloud service provider).
So what is the solution? The Blue Coat Cloud Data Protection Gateway can be used to protect an enterprise’s cloud data in all three lifecycle phases shown in the figure below, while still preserving the capabilities of the cloud solution.
The Blue Coat Platform allows Information Security professionals to easily set data protection policies that encrypt or tokenize sensitive data fields, documents and Intellectual Property before they leave the enterprise’s firewall and go to cloud applications for processing and storage. Protected data is secured through all phases of its “cloud life” – while in-transit to the cloud, while at-rest in the cloud and while it is being processed in memory in the cloud. In addition to securing the data, the Blue Coat Cloud Data Protection Gateway ensures that the users of cloud applications can still use the application’s features – like Searching, Sorting, Reporting, etc. – even on data that has been strongly encrypted or tokenized.