“We encrypt data in transit and at rest” cliche

We often see that cloud providers states that they “encrypt data in motion/in transit and also at rest”. Let’s see how this technically works.

Protection of Data-In-Motion

Data-in-motion is encrypted usually using TLS/SSL protocol, so the data is encrypted while is transferred from client to the cloud and is not anymore vulnerable to eavesdropping and tampering, but once it arrives on server, data is decrypted and processed by the database service and then stored.

Protection of Data-At-Rest

Some of cloud providers allow customers to encrypt data at rest – so called transparent encryption. Transparent Data Encryption is a technology that encrypts database files. TDE solves the problem of protecting data at rest, encrypting databases both on the hard drive and consequently on backup media. This technology was useful when you have your own datacenter but it is mostly useless in our new “cloud era” because data is exposed unencrypted to the database service.

This typical scenario is described in the picture bellow:
withoutIQrypt2

As visible, this is not enough; at the service level data is unencrypted so if a cyber criminal succeed to access the service, he will have access to all data, despite the fact that the data is encrypted or not “at rest”. The same principle applies for the cloud provider itself, he can still mine customer data for his own profit.

The alternative is client side encryption, so the data is encrypted before it leaves the client’s devices and stays encrypted on all levels. But client side encryption brings some challenges and the main important one is SEARCH. Typically, once the data is encrypted it cannot be searched anymore and the server cannot execute any computation over encrypted data. Another important challenge is the management of the encryption keys because that needs to be handled on the client device.

IQrypt aims to solve these challenges by providing searchable encryption algorithms and also a solution to manage the encryption keys securely called IQryptVault. The SDK is provided as open source and can be found on Github and IQryptVault will be provided also as open source very soon.

Encrypt and stay safe!

Leave a Reply