Accessing cloud-based resources, whether they be IaaS/PaaS/SaaS-based, is very convenient. With a browser and Internet connection, you are up and running. No driving to your work office, no need to log into the corporate network. Just open up your web browser and go. This convenience, however, comes with a security risk. All of your business work is conducted over an insecure communication network. Unlike your office network, where the network link between you and the data center is under corporate control and is physically secure, the cloud access link is over the Internet.
The wild, uncontrolled, used-by-everyone-in-the-world Internet. There are no guarantees about who else has (or does not have) access to your network communication link. In fact, from a security perspective, we assume that the cloud link (i.e., the Internet) is unsecured and hostile. Any sensitive or private information WILL be accessed by someone else. This is why we have a need to protect “data in flight.” The data may be safe once it gets to the cloud provider, but during the transmission we need to protect it and ensure it remains private. To ensure secure communication across the Internet, a key fundamental cloud security principle is to encrypt the data transmission whenever you engage with a cloud resource. In this blog we introduce the security concept of protecting “data in flight” and explain how it operates.
The good news is that this data in flight protection is easier that it sounds. Since just about all traffic is done via the web browser (HTTP protocol), all you have to do is ensure that the HTTPS protocol is used by default in your browser. This means that instead of using http://myurl…, make sure it uses https://myurl… .
Secure HTTP (HTTPS) is a security protocol. It uses a secure transport layer security mechanism called SSL, or its newer version TLS, to transmit HTTP traffic (i.e., your browser traffic) securely by encrypting the data. When HTTPS is used you can be certain that your confidential data (like your credit card information) is safe from eavesdropping. If someone does intercept all of your encrypted data, they won’t be able to decrypt it.
TLS (transport layer security) data encryption is based on two related but different encryption technologies called symmetric key encryption and asymmetric key encryption. Symmetric key encryption means that two users who wish to communicate must share the same encryption key to encrypt and decrypt a message. For example, if I encrypt a message with an encryption key-A, then the receiver of my encrypted message must have the same encryption key-A to decrypt the message.
Asymmetric key encryption is different. It uses two keys, a public key and a private key. The public key is distributed to anyone who wants to communicate with me. They encrypt their message with my public key and send it to me. When I receive it I use my private key to decrypt the message.
The advantage that the asymmetric encryption has is that initiating communication with a stranger is easy. Just use the person’s public key, which is usually obtained via a certificate authority. To initiate secure communication with symmetric encryption requires that the initiator somehow knows ahead of time what the symmetric key is, or must acquire it in a secure manner. That becomes impractical if the person is halfway around the world. However, symmetric key encryption does have one advantage over asymmetric encryption. Symmetric encryption is computationally faster than asymmetric encryption; in fact asymmetric encryption processing is about 1,000 times slower (http://windowsitpro.com/security/symmetric-vs-asymmetric-ciphers). This is important because symmetric processing can speed up the transmission and processing of secured data.
The astute observer will note that the advantages and disadvantages of each encryption method are complementary. Therefore, TLS uses both techniques to securely transmit HTTP traffic. It uses asymmetric key encryption to initiate a secure communication link between the two parties. Once that secure link is established, TLS securely exchanges a symmetric key. Going forward, TLS uses the symmetric encryption technique for all data transmission. This maximizes performance while still ensuring safe and convenient access to cloud resources.