Despite the considerable benefits of moving to the cloud, data security remains one of the major sticking points to adoption for many enterprises. Recent high-profile security breaches, such as last year’s attack on extramarital dating site Ashley Madison, have highlighted the serious impact that data theft can have on a company’s reputation. It also underlined just how important it is to protect personal and sensitive information. All the more so because Ashley Madison was guilty of making serious security mistakes in its AWS cloud implementation, such as storing AWS tokens, database credentials, certificate private keys and other secret credentials in its source code.
Even so, many businesses acknowledge that they need to do more to protect data. But they’re often reluctant to encrypt because of concerns about the potential impact it could have on the performance and functionality of their systems. In this article, we will discuss how data can be encrypted on AWS EBS volumes.
Perceptions of Encryption in the Cloud
The Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, recently surveyed nearly 2,000 IT and IT security practitioners about the challenges of cloud information governance. According to the study, 70% of respondents believed it was more complex to manage privacy and data protection regulations in a cloud environment than in on-premises networks. When questioned why this was so, 71% said it was difficult to apply conventional information security in a cloud environment.
But cloud security isn’t necessarily as complicated as you might think. In the last 18 months alone, market leader AWS has launched two new in-house services that make data protection in the cloud a whole lot easier, with EBS data volume encryption and EBS boot volume encryption. EBS users now have a choice between utilizing Amazon’s own encryption service and purchasing third-party tools. Before we get into how this is done, it is worth mentioning that AWS also supports encryption for its other data storage services such as S3 and RDS.
So what are the advantages and disadvantages of each of these two options?
Amazon’s Own Off-The-Shelf Volumes Encryption Service
EBS volume encryption offers you a free and simple alternative to building and maintaining your own cloud data security infrastructure. It uses Amazon’s Key Management Service (KMS), which enforces strong physical security controls and provides a central point for creating, managing and protecting keys for services both running in the cloud and on-premises.
Data is encrypted to AES 256-bit, the gold standard of data encryption, which meets a comprehensive range of compliance standards, such as HIPAA, PCI and NIST. You can also implement tighter control by setting up an AWS IAM policy to prevent users from creating an EBS volume unless it is encrypted.
For your all-important data volumes, encryption is performed on:
- Data at rest inside the volume
- All snapshots created from the volume
- All disk I/O
And, according to AWS, users can expect minimal impact on latency – with similar IOPS performance on encrypted volumes as it is on unencrypted volumes. However, set against its ease of use, EBS volume encryption offers relatively few features compared to the more established third-party alternatives. And though supported by both SSD and magnetic volumes, data volume encryption is only available on the following instance types:
|Instance family||Instance types that support Amazon EBS encryption|
|General purpose||m3.medium | m3.large | m3.xlarge | m3.2xlarge | m4.large | m4.xlarge | m4.2xlarge |m4.4xlarge | m4.10xlarge | t2.nano | t2.micro | t2.small | t2.medium | t2.large|
|Compute optimized||c4.large | c4.xlarge | c4.2xlarge | c4.4xlarge | c4.8xlarge | c3.large | c3.xlarge |c3.2xlarge | c3.4xlarge | c3.8xlarge|
|Memory optimized||cr1.8xlarge | r3.large | r3.xlarge | r3.2xlarge | r3.4xlarge | r3.8xlarge|
|Storage optimized||d2.xlarge | d2.2xlarge | d2.4xlarge | d2.8xlarge | i2.xlarge | i2.2xlarge | i2.4xlarge |i2.8xlarge|
|GPU instances||g2.2xlarge | g2.8xlarge|
Furthermore, you cannot simply encrypt an existing EBS volume. Instead, you need to migrate data from an unencrypted to an encrypted volume.
Third-party offerings, such as TrendMicro, Vormetric and CipherCloud, will appeal to organizations that prefer more autonomous management of their data security – without relinquishing control of their encryption keys to their cloud services provider. Not only that, but most third-party solutions offer a range of value-added management and reporting tools that help customers maintain good data security practice and meet their compliance objectives.
For example, several provide a centralized dashboard for management and data transfer across different cloud platforms. This is something that’s particularly attractive to users with multi-cloud or hybrid cloud deployments. What’s more, in the case of many cloud vendors, encryption comes as part of a wider range of integrated data security services that certain users won’t want to lose.
All the same, companies that move to the cloud in the future may not feel that they can justify the cost of third-party encryption services when they can get a simpler solution straight out of the box for free.
Which Option Is Best to Ensure Compliance?
Each case is different. It’s more so dependent on your own specific industry, the extent and complexity of your on-site and cloud operations, and the IT security expertise available within your organization.
Finally, it’s important to remember that encryption is just one part of your data security obligations. Secure data management involves a range of best practices. But, above all, that means keeping your cryptographic keys secure – from physically securing hardware, periodically changing keys and storing them separately from the data they decrypt to making regular encrypted backups of both data and keys.