When It Comes To Cloud Security, Don’t Forget SSL
September 30, 2011 | Leave a Comment
By Michael Lin, Symantec
Cloud computing appears here to stay, bringing with it new challenges and security risks on one hand, while on the other hand boasting efficiencies, cost savings and competitive advantage. With the new security risks of cloud and the mounting skill and cunning of today’s malicious players on the Web, Secure Sockets Layer (SSL) certificates are here to stand up to the risks. Using SSL encryption and authentication, SSL certificates have long been established as a primary security standard of computing and the Internet, and a no-brainer for securely transferring information between parties online.
What is SSL?
SSL Certificates encrypt private communications over the public Internet. Using public key infrastructure, SSL consists of a public key (which encrypts information) and a private key (which deciphers information), with encryption mathematically encoding data so that only the key owners can read it. Each certificate provides information about the certificate owner and issuer, as well as the certificate’s validity period.
Certificate Authorities (CAs) issue each certificate, which is a credential for the online world, to only one specific domain or server. The server sends the identification information to the browser when it connects, then sends the browser a copy of its SSL Certificate. The browser verifies the certificate, and then sends a message to the server and the server sends back a digitally signed acknowledgement to start an SSL-encrypted session, letting encrypted data transfer between the browser and the server.
How does it secure data in the cloud?
If SSL seems a little old-school in comparison to the whiz-bang novelty of cloud computing, consider this: since SSL offers encryption that prevents prying eyes from reading data traversing the cloud, as well as authentication to verify the identity of any server or endpoint receiving that data, it’s well-suited to address a host of cloud security challenges.
Where does my data reside, and who can see it? Moving to the cloud means giving up control of private and confidential data, bringing data segregation risks. Traditional on-site storage lets businesses control where data is located and exactly who can access it, but putting information in the cloud means putting location and access in the cloud provider’s hands.
This is where SSL swoops in to quell data segregation worries. By requiring cloud providers to use SSL encryption, data can securely move between servers or between servers and browsers. This prevents unauthorized interceptors from reading that data. And, don’t forget that SSL device authentication identifies and vets the identity of each device involved in the transaction, before one bit of data moves, keeping rogue devices from accessing sensitive data.
How can I maintain regulatory compliance in the cloud? In addition to surrendering control of the location of data, organizations also need to address how regulatory compliance is maintained when data lives in the cloud. SSL encryption thwarts accidental disclosure of protected or private data according to regulatory requirements. It also provides the convenience of automated due diligence.
Will my data be at risk in transit? Putting data in the cloud usually means not knowing where it physically resides, as discussed earlier. The good news is that cloud providers using SSL encryption protect data wherever it goes. This approach not only safeguards data where it lives, but also helps assure customers that data is secure while in transit.
Another point to note here is that cloud providers using a legitimate third-party SSLCAwill not issue SSL certificates to servers in interdicted countries, nor store data on servers located in those countries. SSL therefore further ensures that organizations are working with trusted partners.
Will any SSL do?
Recent breaches and hacks reinforce the fact that not all SSL is created equal, and neither are all CAs. Security is a serious matter and needs to be addressed as organizations push data to the cloud. Well-established best practices help those moving to the cloud make smart choices and protect themselves. Here are some things to keep in mind while weighing cloud providers:
- Be certain that the cloud providers you work with use SSL from established and reliable independent CAs. Even among those trusted CAs, not all SSL is the same, so choose cloud providers that ensure that those providers have SSL certificates from certificate authorities that:
- Ensure that the SSL your cloud provider uses supports at least AES 128-bit encryption, preferably stronger AES 256-bit encryption, based on the new 2048-bit global root
- Require a rigorous, annual audit of the authentication process Maintain military-grade data centers and disaster recovery sites optimized for data protection and availability
Who will you trust? That’s the question with cloud computing, and with SSL. Anybody can generate and issue certificates with free software. Partnering with a trusted CA ensures that it has verified the identity information on the certificate. Therefore, organizations seeking an SSL Certificate need to partner with a trusted CA.
SSL might not be the silver bullet for cloud security, but it is a valuable tool with a strong track record for encrypting and authenticating data online. Amid new and complex cloud security solutions, with SSL, one of the most perfectly suited solutions has been here all along.