What are some best practices for cloud encryption?

With so many companies moving data to the cloud in one way or another, encryption has become a major part of the overall effort of providing cloud security. Many of the biggest questions that companies have are around security, because there are so many risks and liabilities around cyberattacks.

One of the major components of improving cloud encryption involves talking to cloud providers and vendors. Because so much of the actual architecture is on the vendor side, many of the best practices that client companies can comply with involve talking in-depth with vendors and inspecting the vendor's security processes.

Companies should review a service-level agreement (SLA) very closely and ask for a security architecture plan from the vendor to actually see how the vendor's security works. Potential customers should discuss different types of security – security for the perimeter of the network, and segmentation or segregation inside the network, as well as endpoint security, where that is applicable.

In terms of actual encryption strategies, some guidelines can help to perfect how encryption secures data in the cloud. There is the principle of decentralization for the encryption mechanism, and the concept of multiple encryption processes, and there is the principle of good user authentication and the use of audit logs to track network events.

Another type of encryption best practice involves managing multiple encryption keys. This varies according to the architecture – for instance, key management is different for public, private and hybrid cloud setups. Customers should understand when encryption keys are held by the vendor, and when they are held by the client, and how this serves a particular type of security strategy.

The Confidential Computing Consortium recommends a hardware-based approach to that allows data to stay encrypted even while it is being processed in memory. This approach, which is called confidential computing, provides an additional layer of security for organizations that process sensitive or regulated data in the cloud.

By connecting with vendors and discussing the actual nuts and bolts of the provider's cybersecurity architecture, customers can be better served. Some experts recommend appointing one person to be responsible for working the back channels of communication in order to ensure both internal customers and public cloud partners prioritize security in the cloud implementation process.