Encryption as a Cloud-to-Cloud Network Security Strategy

In 2023, 76% of companies were actively using multiple clouds and were engaged in cloud-to-cloud and cloud-to-on-prem data transmissions. Additionally, 74% of companies said they were either implemented or moving to a hybrid IT architecture that included both cloud and on prem resources.

Over the same time period, 40% of companies said that the data they were moving to the cloud was sensitive in nature, and 39% acknowledged that they had experienced a cloud security breach that affected their data. Yet, only 45% said that the data they were sending to and from the cloud was encrypted.

At first glance, the discrepancy between moving more sensitive data to the cloud and ensuring the data's safe point-to-point transit would seem to be the “stuff” of security and governance analysts. But when bad things like security breaches happen, companies inevitably look to their network groups to address them.

The pushback on data encryption

Data encryption in any application—even on static resources like in-house servers or cloud storage—has been a hard sell.

First and foremost is cost. In the past few years, outside auditors,

IT managers, security, and networking groups have all pushed for more aggressive security software, hardware, and services. They've presented budget requests for edge and mobile security, the tightening of security and governance in the cloud, and more frequent network vulnerability checks, audits, and tools. All of these requests have swelled security's slice of the IT budget pie, so when it comes to even more security measures like data encryption, management's initial tendency is either to defer or ignore the request, figuring that the security measures the company has already invested in are adequate.

For network professionals, explaining to management what data encryption is and why it’s important isn’t easy, either.

First, there is no one data encryption method. You have to choose the one that is right for you.

There is symmetric data encryption, where the send and the receive mechanisms for the data are the same; and asymmetric encryption (also known as PKI, or public key infrastructure) that is commonly used by financial institutions and credit card companies, and that uniquely assigns a new key to each individual user or destination in order to unlock the data.

Then, there is an assortment of different encryption algorithms that range from older DES (data encryption standard) and 3DES (triple data encryption standard) to AES (advanced encryption standard) and several others (e.g., Blowfish, Twofish, Threefish, etc.).

Do you really need encryption on your external data transport?

Like upper management, there are network analysts and IT leaders who resist using data encryption. They view encryption as overkill—in technology and in the budget.

Second, they may not have much first-hand experience with data encryption. Encryption uses black-box arithmetic algorithms that few IT professionals understand or care about. Next, if you opt to use encryption, you have to make the right choice out of many different types of encryption options. In some cases, an industry regulation may dictate the choice of encryption, which simplifies the choice. This can actually be a benefit on the budget side because you don't have to fight for new budget dollars when the driver is regulatory compliance.

However, even if you don't have a regulatory requirement for the encryption of data in transit, security risks are growing if you run without it. Unencrypted data in transit can be intercepted by malicious actors for purposes of identity theft, intellectual property theft, data tampering, and ransomware. The more companies move into a hybrid computing environment that operates on-premises and in multiple clouds, the greater their risk since more data that is potentially unprotected is moving from point to point over this extended outside network.

Finding the “sweet spot” for encrypted data on your network

Given today’s security risks, encrypting data that is in transit on outside networks should no longer be optional.

The questions are: what types of data encryption are best for your enterprise, and how far do you need to go?

If you’re in a highly regulated industry like finance, the choice has already been made for you. You need to use PKI encryption. Outside of the highly regulated industries, a certain amount of encryption decision making has also been made. Older DES and 3DES encryption techniques are being de-implemented, because it now has become too easy for hackers to break through them. They have been supplanted by AES encryption, which allows you to both define encryption keys and designate their length.

If you choose AES, the next step is to determine whether you need encryption on all or just some of your network paths. Are there non-critical data paths that can continue to run without encryption, or not? And if your budget limits how much you can invest, what are the "must have" data paths between clouds and on-prem data that require encryption?

Avoiding the pitfalls

If you add data encryption, a major concern for network analysts will be what the impact will be on network performance.

Adding an extra step like encrypting and de-encrypting data will add latency and load to the network. If you go to a budget meeting asking for data encryption, the request is likely to be accompanied with requests to add more network “beef” as well.

There is also the element of change management. Today’s non-mission-critical data paths might become critical data paths in the future. At that point, you will need to add data encryption.

A final word on cloud-to-cloud data encryption

For companies outside of highly regulated industries, data encryption has largely been an afterthought at both the executive and the network management levels. However, it is not likely to remain that way as more companies move to a multi-cloud IT architecture replete with many outside data pipes and networks.

As a protection for this outside data transit from malicious intruders and interceptors, data encryption will become a higher corporate priority, and companies will expect their network groups to provide the vision and the implementation. This is why there has never been a better time than now to start developing strategic and tactical plans for securing your outside data as it moves from point to point.