As organizations increasingly rely on cloud services to store and process sensitive data, cryptography and data security become evident areas that a security professional needs to be familiar with. It’s true, cloud environments present unique security challenges and risks, so being ready to address them means you need to understand the concepts and the tools available. This article is intended to be a quick explanation of these concepts with some direction on more detailed articles, user guides, and developer guides, that will prepare you to take on the task. Let’s dig in.
Encryption at Rest
Encryption at rest refers to encrypting data when it is stored, as opposed to when it is being transmitted (encryption in transit). There are three main approaches for encryption at rest:
- Server-side encryption: The service storing the data (e.g. Amazon S3) encrypts the data when it is received and decrypts it when requested by an authorized user. This is seamless for developers but allows any role with appropriate permissions to decrypt the data.
- Client-side encryption: The application encrypts the data before sending it to the storage service, so the service never has access to the unencrypted data. This provides more control over who can decrypt the data.
- Client-side in-browser encryption: Sensitive data is encrypted in the user’s browser before being sent to the application, protecting it even if it is accidentally exposed by intermediary services.
Encryption at rest helps protect sensitive data from unauthorized access if it is lost, stolen, or accidentally exposed. It is an important technique for preserving user privacy and preventing disclosure of sensitive business data throughout the data lifecycle, from collection to storage to processing and sharing.
Check out the Protecting data at restsection of the Well architected framework for more details.
Encryption in Transit
Encryption in transit (opposite of encryption at rest) refers to the encryption of data while it is being transmitted over a network from one point to another, typically between a client and a server. The data is encrypted before being sent and decrypted after being received, but it may be stored in plaintext at the source and destination systems
Check out the Protecting data in transitsection of the Well architected framework for more details.
Key Management
Key management is an important aspect of encryption solutions. It involves protecting encryption keys at rest so that the keys can never be used outside the authorized system, and ensuring that the authorization to use encryption keys is independent from how access to the underlying data is controlled. This separation of key access from data access helps prevent issues like overly permissive data access policies from compromising encrypted data.
The AWS Service that handles key management is called KMS and you can learn KMS conceptsin this developer guide.
Cryptographic Services
Cryptographic services refer to the application of cryptography techniques and protocols to secure data, communications, and systems. These services include encryption, digital signatures, key management, and authentication mechanisms, enabling confidentiality, integrity, and non-repudiation of information exchanged over insecure networks or stored in vulnerable environments.
AWS offers a few services specific to Cryptographic Services. You can learn about them here.
Compliance and Regulations
Compliance and regulations refer to the set of rules, guidelines, and standards that organizations must adhere to, ensuring data security and privacy. These standards, such as HIPAA for healthcare organizations and PCI DSS for companies handling payment card data, mandate specific data security and encryption requirements to protect sensitive information and prevent data breaches.
You can learn how AWS services and tools can help achieve compliance here.
Best Practices and Recommendations
When it comes to data security and cryptography on AWS, some key best practices include: Implementing encryption at rest and in transit using AWS services like AWS Key Management Service (KMS) and AWS Certificate Manager. Regularly rotating encryption keys and following the principle of least privilege for access to encrypted data and key material. Leveraging AWS services like Amazon Macie and AWS CloudTrail to monitor and audit data access and encryption activities for compliance purposes.
I encourage you to become familiar with these best practices on AWS. You can read more here.