When we talk about “data at rest”, we mean data that is stored on a device or backed up and is not actively being moved from network to network or being processed. Think of it as your digital data sleeping on your hard drive, USB stick or cloud storage. Much like a hibernating bear, just because it’s static doesn’t mean it’s safe from threat. Enter: encryption.
The role of encryption in protecting data at rest
Encryption is the digital equivalent of high-security locking your files, allowing access only to those with the right key. It works by converting the original representation of information, known as plaintext, into an alternative form known as ciphertext. This ciphertext appears as a random string of characters to anyone without authorization.
How do you spend it? Let’s break it down:
Encryption algorithms
There are multiple algorithms with names like AES (Advanced Encryption Standard), RSA, and Twofish, to name a few. AES is one of the most popular and widely used symmetric encryption algorithms today, often chosen for its combination of security, performance and efficiency.
Symmetric vs. asymmetric encryption
Encryption can be symmetric, where the same key is used for both encryption and decryption, or asymmetric, using one key (the public key) for encryption and another key (the private key) for decryption.
Symmetric encryption is commonly used to protect data at rest because of its speed and simplicity in the encryption and decryption process.
Data encryption in Cloud Platforms
In the dynamic landscape of cloud services, how can we ensure that our data is protected when we entrust it to cloud storage solutions such as AWS S3 containers, Google Cloud Storage or Azure Blob Storage? Let’s explore the built-in encryption capabilities offered by these popular cloud services.
Encrypt data at rest in AWS S3
Amazon S3 provides robust encryption features to protect your data. When uploading files to an S3 bucket, you can choose to:
- Server-Side Encryption (SSE): Allows Amazon to manage encryption keys.
- Client-side encryption: You manage the encryption keys and encrypt your data before uploading it to S3.
The simplest server-side option is SSE-S3, which encrypts each object with a unique key. Here’s how to enable it:
import boto3
# Initialize a session using Amazon S3
s3 = boto3.client('s3', region_name="your-region", aws_access_key_id='YOUR_ACCESS_KEY', aws_secret_access_key='YOUR_SECRET_KEY')
# Enable server-side encryption by default for an S3 bucket
s3.put_bucket_encryption(
Bucket="your-bucket-name",
ServerSideEncryptionConfiguration=
'Rules': [
'ApplyServerSideEncryptionByDefault':
'SSEAlgorithm': 'AES256'
]
)
Encrypt data at rest in Google Cloud Storage
Google Cloud Storage also offers ways to protect your data. By default, all data written to GCP storage is encrypted before it is written to disk. You can manage keys yourself or Google can manage them.
Here’s how you can set up a bucket to use User Managed Encryption Keys (CMEK):
# Use the gsutil command-line to create a new bucket with CMEK
gsutil mb -p your-project-id -c standard -l your-region -b on gs://your-bucket-name/
# Then set the default encryption on the bucket using your own encryption key
gsutil kms encryption -k projects/your-project-id/locations/global/keyRings/your-key-ring/cryptoKeys/your-key gs://your-bucket-nameEncrypt data at rest in Microsoft Azure Blob storage
Azure Blob Storage supports automatic encryption of your data before storage. This is done using Azure Storage Service Encryption (SSE) which uses 256-bit AES encryption, similar to S3 and GCP. Additionally, Azure offers client-side encryption that you can handle similarly to AWS.
Here’s how you can set up Azure to encrypt your storage account using Azure-managed keys:
# set up Storage Service Encryption on a storage account
New-AzStorageAccount -ResourceGroupName "yourResourceGroup" -Name "yourStorageAccountName" -Location "yourRegion" -SkuName "Standard_GRS" -EnableStorageEncryption $trueKey management
Key management refers to the secure management of cryptographic keys. Key management is also important in a multi-cloud world. Although cloud platforms give you a lot of features, if you choose to create your own encryption keys; It is important that you manage them to maintain the highest level of security.
Basic key management practices include:
- Generating keys in a secure way
- Safe storage of keys
- Access controls to limit who can use keys
- Changing keys regularly to limit the time frame an attacker has to compromise the key
Conclusion
Whether you favor AWS, Google Cloud, or Azure, each platform gives you the tools to protect your data while it rests peacefully in your chosen cloud service. They take care of the hard work, allowing you to focus on what’s most important to your business.