Essential Guide

Browse Sections
This content is part of the Essential Guide: An insider's look at AWS re:Invent 2014
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

AWS encryption creates a solid base for cloud compliance

AWS made changes to data encryption features for services like S3, giving admins more flexibility and control. But many say it's still not enough.

The initial encryption feature for Amazon Web Services S3 data was lacking some capabilities. Enterprises took issue with the fact that AWS -- not consumers -- created and owned the encryption keys. Recent changes, however, have given administrators more flexibility in the realm of AWS encryption.

AWS gave users the ability to load their own encryption keys, making the service more relevant and accessible to industries that are under such strict regulations as the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI-DSS). AWS users can also encrypt data on Elastic Block Storage (EBS) volumes. While still in the development phase, EBS encryption doesn't allow consumers to upload their own encryption keys and previously encrypted data to the Amazon cloud.

Data encryption concerns were really brought to the table only in 2011. Recent encryption and security issues further demonstrate why enterprises, IT organizations and companies with strict compliance standards have been reluctant to adopt the public cloud.

“Encryption is unquestionably the best practice when processing sensitive data in the cloud, said Gilad Parann-Nissay, CEO and founder of Porticor, a cloud security and encryption company located in Campbell, Calif. "AWS' progress creates a solid base for compliance and security. [It] is correctly opening up APIs to supply keys externally for the encryption, since customers must own encryption keys and must hold them," he said.

Companies should look to key management solutions that work natively in the cloud, but keep ownership outside the cloud, Parann-Nissay recommended. "Split key encryption -- especially with homomorphic encryption of the keys -- is the approach without hardware," he said.

Cloud vendors face a challenge when it comes to encryption key management. Everything can be stored in the cloud, but end users need to own encryption keys. Vendors like Porticor enable enterprises to encrypt their data under a patented key management product that works with private, public and hybrid cloud environments.

Where AWS encryption stands

Currently, Amazon is the most advanced cloud service provider when it comes to supporting compliance standards, such as HIPAA, PCI-DSS, ISO and others. It uses the 256-bit Advanced Encryption Standard, or AES, that was adopted and approved by the National Institute of Standards and Technology and the U.S. government in 2002. This is the highest level of encryption that is required for companies that must meet strict government regulations.

While cloud service providers haven't come to a consensus on how to handle the encryption key issue, AWS manages the keys on dedicated physical hardware through AWS CloudHSM. Newer organizations may be fine with this approach, but it's a whole new can of worms for traditional organizations that prefer to own the encryption keys.

Cloud data security takeaways

When your enterprise is ready to move sensitive data to the public cloud, here are a few points that should be on your checklist to ensure you build and maintain a secure cloud environment.

1. Keep cloud credentials safe. Just a few years ago, it was acceptable to share your AWS credentials with software as a service, or SaaS, vendors via email, without any knowledge of possible security breaches. Hackers see the Amazon cloud as a place to target and abuse resources and service providers. Make sure your credentials are safe.

2. Keep data encrypted. It's unclear why data encryption isn't offered as a default option. However, now you can choose to encrypt your data in S3. Whether it be test data or not, companies and organizations that use the Amazon cloud to host sensitive data must use encryption. The safest method of encryption is providing Amazon with your encryption key -- not the other way around.

3. Host your keys and credentials on different servers. Putting your Amazon account credentials and encryption keys on the same virtual machine increases vulnerability risks for data assets. To prevent becoming the next Code Spaces, be sure to separate the physical location from where your credentials are stored.

About the author:
Ofir Nachmani is a business technology advisor, blogger and lecturer. Ofir's extensive experience in the world of business technology has made his critically acclaimed blog,, the go-to guide for modern technology startups and developers in the world of cloud computing. Today he advises organizations, leading them through new IT market modifications, while building and executing a modern go-to-market strategy.

Dig Deeper on AWS security