Guide: Secure Data by Payload Encryption or Client-side Encryption in Public Cloud Services (Azure or AWS)

Client-side encryption is an engineering pattern provides granular control over content encryption. The pattern handle secrets, all encryption and decryption, all of the key or secretes management functions and the server (or storage) cannot decrypt or read the payload data. The pattern is also known as Payload Encryption.

Advantages of Client-side encryption

  • Payload or content encryption at client-side ensure that data or files stored in the cloud can only be decrypted on the client-side (or service endpoint).
  • Achieve Data at Rest and Data at Motion at the same time.
  • If the organisation is storing data on the public cloud, it would ensure that data would have 2nd level protection, in the case of any server breach.
  • It would guarantee data integrity on storage (SHA-1, SHA-256, MD5 or HMAC), and secure the data from any possible threat of tampering or spoofing.
  • Client-side encryption creates a zero-knowledge application where cloud service providers (Azure or AWS) cannot access or view the data or ISP/CSP, or intermediator cannot profile your data (easily).
  • Payload encryption provides a high level of privacy.
  • Compliances (i.e. PCI DSS, PII, GDPR)

Client-side encryption is very useful engineering pattern to achieve secure and compliant solutions. Securing your data on the public cloud is challenging, but not impossible. It would provide you confidence for shared PaaS Services (i.e. Azure Service Bus, Azure DocumentDB, Azure Storage Service, Amazon S3, Amazon DynamoDB) and organisation can benefit from PaaS as well as reduce the overall risk with the design.

Disadvantages of client-side encryption

  • Additional computing resource (for encrypting and decrypting).
  • Key management (though you can use services like Azure KeyVault or AWS KMS, Amazon CloudHSM)).
  • Engineering and development efforts.
  • Reduce sharing capabilities (i.e. File Sharing)

Why would I say it is essential for organisations to take encryption and security seriously on a public cloud? – The answer remains with The Sony LeakThe Dropbox BreachJPMorgan Chase Attack. These are some important compromises reported in 2014 alone; I come across an interesting article while researching around the subject.

The risk associated with Public Cloud Storage or Cloud Shared Services are not going away, but increasing at an exponential rate. Client-side encryption or Payload Encryption meets a security need that we discuss by creating Zero-Knowledge Environment for cloud services.

We would review the implementation from an engineering perspective in coming posts.

Disclaimer

The views expressed on this site are personal opinions only and have no affiliation. See full disclaimerterms & conditions, and privacy policy. No obligations assumed.