top of page
  • Writer's pictureDaniel Ruggles

Cloud Encryption - Definition and Best Practices

Updated: Dec 27, 2022

Encryption mechanisms should be selected based on the information and data they protect (i.e., data classification). Extra emphasis should be given to proper authentication and authorization to that data. The critical success factor for encryption is to enable secure and legitimate access to resources while protecting and enforcing controls against unauthorized access.

Cloud providers offer various cloud encryption services to encrypt data before it is transferred to the cloud. Typical cloud encryption applications range from encrypted connections to

  • limited encryption only of data that is known to be sensitive (such as account credentials) to

  • end-to-end encryption of any data that is uploaded to the cloud.

In these models, cloud storage providers encrypt data upon receipt, passing encryption keys to the customers so that data can be safely decrypted when needed.

Applying encryption and practicing secure encryption key management, companies can ensure that only authorized users have access to sensitive data. Even if lost, stolen, or accessed without authorization, encrypted data is unreadable and essentially meaningless without its key.

The key concepts to understand and implement is encrypted data in transit, data at rest and where does key management reside.

One other benefit of encrypting in the cloud is the concept of crypto shredding. Crypto shredding is the process of deliberately destroying the encryption keys that were used to encrypt the data originally. Since the data is encrypted with the keys, the result is that the data is rendered unreadable (at least until the encryption protocol used can be broken or is capable of being brute forced by an attacker).


Encryption drives costs for the provider and their customers, due to the additional bandwidth required to encrypt data before it is transferred to the cloud. Encrypting data on-premises before it is moved to the cloud will reduce some costs. This also keeps the entire encryption process and all keys within your environment, transferring data to the cloud only after it has been encrypted. The downside is that if an application in the cloud needs to use that data in the cloud, it will incur the overhead of decryption and a secure channel for key handling needs to be thought out. There are ways to overcome these challenges, but in some cases, companies may have to accept that there will be additional overhead and latency in their applications.


Encrypting data ensures that even if that data falls into the wrong hands, it is useless if its keys remain secure. This is especially beneficial when data is being stored in the cloud, as it protects data contents if a provider, account, or system is compromised.

Encryption, when combined with other security measures, enables enterprises to meet the stringent compliance requirements of HIPAA (for healthcare organizations and business associates), PCI DSS (for e-commerce and retail organizations), and SOX (for financial reporting).

BEST PRACTICES Steps to follow for success:

1. Map out your data security needs - Identify what data should be encrypted and select a cloud provider offering enough encryption for those needs. This is also a complementary step required for Risk Management to help you determine the level of risk you are willing to take and how much you might want to spend to reduce that risk.

Data classification is part of the Information Lifecycle Management (ILM) process and can be defined as a tool for categorization of data to enable/help the organization to effectively answer the following questions:

  • What data types are available?

  • Where is certain data located?

  • What access levels are implemented?

  • What protection level is implemented, and does it adhere to compliance regulations?

A data classification process is recommended for implementing data controls such as DLP.  Data classification is also a requirement of certain regulations and standards such as ISO 27001 and PCI-DSS.

Some of the commonly used classification categories are:

  • Data type (format, structure)

  • Jurisdiction (of origin, domiciled) and other legal constraints

  • Context

  • Ownership

  • Contractual or business constraints

  • Trust levels and source of origin

  • Value, sensitivity, and criticality (to the organization or to third-party)

  • Obligation for retention and preservation

2. Secure encryption key management - Encryption keys should be stored separately from the encrypted data. Key backups also should be kept offsite and audited regularly.

  • Periodically refreshing keys, especially if keys are set to expire automatically.

  • Implement multi-factor authentication for both the master and recovery keys. While there are challenges associated with cloud encryption, business regulations and data security requirements make it a necessity. Privacy and data security experts agree that encryption is a critical tool for information security, and cloud providers offer different applications of encryption to fit a range of data security needs and budgets.


bottom of page