• Richard Blech

Why You Should Care About the Limitations of Cloud Encryption



I doubt if you can find an organization today that doesn’t have at least some of their applications and data spread across different clouds, like AWS, Azure, Google Cloud, Salesforce, Workday and countless others. There isn’t a function within the enterprise that doesn’t have a cloud service offering. You name it; HR, sales, marketing, finance and accounting, software development; the list goes on. Can you imagine trying to understand and keep track of how each cloud provider handles the encryption of your data on their servers? It’s impossible. All of these cloud providers offer their own server-side encryption, and bring your own key (BYOK) capabilities. These can protect the data at egress or ingress to the cloud, but it can be complicated to configure the services and policies to do what you want them to do. Some organizations don’t have the time or skillsets to iterate on design and testing often needed in the cloud. As you might presume, cloud provider encryption protections meet compliance regulations and offer liability protection. However, these companies aren’t known as bastions for data privacy. They typically use AES 256-bit encryption for data protection, to defend against possible hackers breaking into their systems. But, are they sufficiently protecting their customers?


No organization should consider their data safe - on-premises, or within a vendor or cloud service


Solid data privacy and protection in today’s perimeter-less digital environment requires strong encryption on endpoints, in transit, and when stored in databases and storage systems. Data should be encrypted at the source before sending it to the cloud, or anywhere for that matter.

Recently, Capital One had about 100 million credit card applications illegally accessed. Clearly, the bank hadn’t taken proper steps to ensure their computer systems were sufficiently secure. The Office of the Comptroller of the Currency fined the bank $80 million, based upon their failure to establish effective risk assessment processes before moving a major portion of its computer data to a cloud storage system, and the bank’s failure to correct the deficiencies in a timely manner. This example should serve as a cautionary tale for every organization.


Data security and privacy is the responsibility of the organization


It’s not a given that security and privacy are mutually combined. They are actually distinct, yet interdependent. Cloud providers will sell, aggregate and scan data for financial gain. It is the organization that bears the responsibility for ensuring that their data privacy policies and procedures provide the utmost security measures before data is sent to any third-party.

Centrally controlled network perimeters are a thing of the past. The remote workforce, mobile users, and multi-cloud services have opened up a Pandora's Box of potential data hazards. Relying upon a public cloud for data protection is poor policy, and flies in the face of data security best practices. Every organization should be in control of their data security and privacy, with the comprehensive application of strong encryption. Data protection is more urgent than ever, with more remote workers storing and sending it from wherever they are, exchanging and sharing files, and storing data on-premises, in the cloud, or within hybrid environments.


There are many encryption options to choose from, and flexible solutions are available. XSOC CORP provides quantum-strength encryption and symmetric key exchange that encrypts data at the file-level and securely delivers the symmetric encryption key without the reliance on certificate-based cryptography. This means each and every file is separately encrypted. Let’s illustrate how this works with data stored in a cloud environment. AWS stores data within S3 unstructured buckets, or containers. Think of it as a file folder that contains stored objects consisting of data and metadata. Using XSOC’s Cryptosystem, individual files can be searched within Amazon S3 buckets, and a single encrypted file can be pulled out and decrypted. Or a database query can be completed at the row-level, matching the key and the file, while the data is still encrypted. Then the file can be pulled down and decrypted for use.


This homomorphic-style approach, which allows users to access encrypted data without first decrypting it, is conducted using database queries, where data is encrypted and has a different security key for every file. AWS S3 buckets (or containers) can have petabytes of data, but if a user only needs to pull a single file out rather than the entire folder, the file will remain encrypted through the XSOC Cryptosystem. This process is also extremely fast, and easy to use across any cloud environment.


Organizations take control when data protection is cloud platform and encryption agnostic


The FIPS 140-2 validated XSOC Cryptosystem, with its native, 512+bit encryption also supports CSNA algorithms such as AES, RC4, Blowfish and 3DES. The process leverages XSOC’s Encrypted Broadcast Protocol (EBP) that accelerates the pipe for encrypted packet transfers without relying on TLS, effectively turbocharging the transmission and the encrypting of large quantities of data to any and all cloud providers and thus mitigating the risks of MitM attacks.

This enables organizations to overcome cloud encryption limitations by maintaining a robust privacy and security posture through strong data encryption across all endpoints, networks and multiple clouds.