Most data uploaded to the cloud is protected by standard username and password authentication and is usually stored in clear text for easy access and retrieval.
However, because some data may be sensitive and confidential, this level of protection will not be sufficient against certain threats or to meet certain requirements, such as:
- External attackers – if attackers somehow take over your credentials data, they may gain unauthorized access to your data.
- Internal Threats – Attackers from within the data center, who may act as a disgruntled network engineer or technician, can pose a serious threat to your data.
- Data protection / security laws and regulations such as HIPAA, PCI DSS and EU GDPR – companies that handle sensitive customer data are required by certain laws to provide additional security and protection. Therefore, storing data in plaintext will not be enough.
Amazon S3” />
To mitigate the risks associated with such situations, it is necessary to use data encryption.
What is encryption?
Amazon S3” />
In simpler terms, encryption is the process of disordering or scrambling data using an encryption key. This “encrypted data” will then be stored on the server. Encrypted data can be completely useless to an attacker, even if that person can gain unauthorized access to it.
When a legitimate user retrieves the data for use, the decryption key is used to reorder (decrypt) the data from the server back to a working state. There are many types of encryption, but when you talk about cloud encryption, they usually fall into two types – client side encryption and server side encryption.
Client side encryption
Client-side encryption
Amazon S3” />
This is when both the encryption key and the decryption key are created and stored on the user side, and the data is encrypted before being uploaded to the server.
In other words, as soon as the data is received by the server for storage, it will already be encrypted. This is a very effective encryption method as the key (client side) and encrypted data (server side) are stored in different locations. Accessing only the key or data is useless.
The disadvantage of this method is that it requires the user to remember or save the decryption key. When this key is lost or forgotten, the associated encrypted data becomes useless – even to the rightful owner.
Server Side Encryption
Server-Side Encryption
Amazon S3” />
This is when encryption / decryption keys are generated on the server side in the cloud.
Once loaded, the server will encrypt the data itself, and only the cloud platform will know which key is associated with the corresponding encrypted data through its own algorithm and processes. This type of encryption is automatically performed in the cloud and does not require the user to remember or store any keys.
Amazon S3 or Amazon Simple Storage Service is a cloud service that offers this type of encryption. If you have sensitive data that needs to be encrypted, Amazon S3 can meet your needs.
Below are the steps and processes you need to follow if you want to encrypt data using the web GUI provided by Amazon S3
- Log in to your Amazon AWS account, activate the S3 service, create a shopping cart and provide a name for the shopping cart. We’ve discussed this in detail here, so read this article first if you want to know more.
Amazon S3” />
- On the next page of the dialog, scroll down to the Encryption default option and select the Automatically encrypt objects check box.
Amazon S3” />
Amazon S3” />
There are 2 options available here
- AES-256 is the default server side encryption where Amazon manages the entire key generation process. It uses 256-bit Advanced Encryption Standard to encrypt data.
- AWS-KMS is Amazon’s Key Management Service. This service provides easy management of all encryption keys used by Amazon. AWS-KMS can automatically assign keys, or you can create your own. It uses FIPS 140-2 validated hardware security modules for key isolation and protection. This is truly robust protection as FIPS 140-2 compliance is required by the US military and government.
Amazon S3” />
- Confirm your encryption options: AES-256 or AWS-KMS on the next page of the dialog.
Amazon S3” />
Amazon S3” />
Amazon S3” />
Film That’s All. From now on, data uploaded to this bucket will be automatically encrypted using the chosen encryption service.