Quick Start Guide to Effective Cloud Encryption
This is our third installment of a series on encryption in the cloud. If you didn’t catch our first two blogs, you can catch up here (Encryption, Meet Cloud. Cloud, Meet Encryption.), and here (Debunking Encryption Myths in the Age of the Cloud).
We know encryption is an essential security tool, but, if overused or misused, can create a barrier resulting in ineffective working practices and disgruntled users. Striking the right balance such that only pertinent content is targeted for encryption requires a methodical approach involving both computational and human effort.
Think you’re ready for expert mode? Learn more about CloudLock’s Selective Encryption here. Still hungry for a quick start guide to encryption in the cloud? Read on for a four phase approach to implement effective use of encryption.
1. Discover. What does sensitive data look like and where does it reside?
First, determine where content is created and stored. The first part of discovery is to understand your users and how they work. What platforms and applications are they using? Where is data being stored?
Gone are the days when all organisational data resides within on-premises servers with only provisioned products used for content creation. The cloud’s allure is far and wide, encouraging users to store content in a number of locations: Google Drive, Salesforce, Dropbox, to name a few and use platform or third party hosted cloud apps for content creation.
Second, identify candidates for file-level encryption. What is a suitable candidate for encryption can vary wildly depending on industry and context. Typically, this includes organizational secret sauce (intellectual property), customer lists, payment information, personally identifiable information – any content that would cause a problem if exfiltrated and any material that could contravene regulatory compliance.
Liaise with in-house domain experts to find out what sensitive content specific to the corporation exists and determine if it can be reliably identified. Use a compliance scan to process data stores for any material which violates regulation or internal policy. Consider refining internal policies with input from domain experts.
Discovery of appropriate content is an iterative process – it starts with wide filters that are increasingly tuned to identify true positives with high precision.
2. Consolidate. Through discovery, you have identified where the sensitive content resides. Now, an assessment needs to be made as to whether these are the best locations for this content.
Location Consolidation. Where appropriate, consolidate the data into a few key repositories so it may be better managed and promote adoption of this system with your users. Analyse the data use and take measures to stop or mitigate against data sprawl.
Data Control. Ensure there are sufficient security safeguards in place surrounding the identified content and it is not exposed through unvetted apps. Determine who the essential employees are that require access to the data and ensure it is not exposed to inappropriate people. If changes are appropriate, get users onboard with any decisions and best practices that are introduced.
3. Select Appropriate Technology. Encryption is suitable for securing the most sensitive files, but for it to be an effective and adopted security measure in practice, the selected technology needs careful consideration. In choosing a solution, consider the following elements:
- User Experience. A good user experience is essential. To the greatest extent possible, the solution needs to be seamless to the end user, permitting them to use the full functionality of the platform they have enjoyed previously – all while providing a high degree of security. If the solution is too invasive or encumbering, users will seek to circumvent it to maintain effectiveness in their role.
- Compatibility. The encryption solution ideally needs to be compatible with all the platforms where sensitive data may reside, and with all devices that may require access to it. Requiring users to understand and use multiple encryption technologies, coupled with limiting device support will lead to confusion and frustration.
- Actionability. The encryption solution needs to be actionable from DLP scan. The scan will form the backbone to ensuring security is maintained.
4. Action. Create user centric policies. The tuned classifiers from the discovery phase combined with DLP techniques for identifying enterprise-specific sensitive content should be used to create actionable compliance policies.
Content of a potentially sensitive nature found by the scan should still be considered candidates. The action upon finding a candidate should be to: a) notify the content owner of the potential risk, b) ask them to review the nature of the content, and c) offer encryption as a resolution.
Asking the user to review their content and take an action means they are involved in the outcome and educated in policy. A content owner that logs in one day to find their files have been automagically encrypted will not be a happy employee. User involvement in actions is essential.