Can you use SSL to secure interactions with the Cloud? The answer: in part. Remember, the original intent for SSL (Secure Sockets Layer, now known as Transport Layer Security, or TLS) was to secure interactions between browsers and Web servers, and to this day it still offers only point-to-point, channel encryption. If you want a message to traverse any kind of intermediary, or if you want to secure only part of a message, then SSL falls short. And of course, SSL can only secure messages in motion. It doesn’t help at all with securing data at rest.
To secure data at rest, you need an alternative approach to encryption. The brute force approach is to encrypt all data before you upload it to the Cloud. That way you can keep your private keys on premise (an important best practice), and you can rest assured that hackers will have a very hard time cracking any of your confidential information in the Cloud, no matter where the Cloud provider puts it.
The problem with the brute force approach is that you can’t do much with your information when it’s in an encrypted form. You can store it and move it around, but you can’t process it in the Cloud without decrypting it there, which creates an obvious opportunity for hackers. As a result, many organizations require a more subtle approach than brute force encryption.
An alternative approach that’s gaining increasing traction in the Cloud marketplace is the use of encrypted volumes. In essence, the entire virtual drive is encrypted, so any files you store on it are automatically encrypted. Will an encrypted volume solve your data-at-rest confidentiality problem?
Not so fast. With today’s encrypted volume technology, all you need is a single username/password or private key to unlock the drive. And once someone has unlocked it, they have access to all the data on the drive. No fine-grained access control or entitlements. Bottom line: sometimes you can secure your data in motion with SSL and your data at rest with encrypted volumes in the Cloud, but even when you combine both approaches, you still have holes a hacker can drive a truck through. Be warned!