How Does Cloud Encryption Work?
Cloud encryption protects sensitive information as it traverses the internet or rests in the cloud. Encryption algorithms can transform data of any type into an encoded format that requires a decryption key to decipher. This way, even if an attacker intercepts or exfiltrates the data, it’s useless to them unless they can decrypt it.
Cloud encryption protects data in two basic states:
- Data in transit between destinations, often outside a secure network, making it more vulnerable.
- Data at rest in cloud storage, a data center server, or similar, and not being used or moved.
Today, standard HTTPS web traffic encryption uses Transport Layer Security (TLS; aka SSL) protocol to secure each data packet. When trusted users or entities (established through multifactor authentication) request access to encrypted data, they receive it in its encrypted state and must use a decryption key to render it usable.
Two Basic Types of Data Encryption
All cloud encryption services and protocols fall into two main categories: symmetric and asymmetric encryption.
Symmetric Encryption
In symmetric encryption, a single key is used to encrypt plaintext and decrypt ciphertext. As a simple example, if you encoded the word “cat” by moving each letter four characters ahead in the alphabet—to ”gex”—you could do the opposite to decode it back to “cat” again.
Symmetric protocols like the Advanced Encryption Standard (AES) and TLS (which can also be asymmetric; more on that below) are used today because they’re:
- Complex enough to be secure—cracking AES with brute force could take billions of years
- Simple enough to be fast—well suited to dealing with large data sets and volumes of traffic
However, this single-key approach is more easily compromised. For instance, if an encryption key needed to be sent over the internet, an attacker could intercept it and expose the encoded data.
Asymmetric Encryption
In asymmetric encryption, encoding and decoding are done with linked public and private key pairs. This is like a coded padlock: you can lock it (using a public key) without knowing the code, but only the person who knows the code (the private key) can open it again.
Asymmetric approaches like elliptic-curve cryptography (ECC), the Digital Signature Algorithm (DSA), and TLS are used today because they’re:
- Less vulnerable to compromise—exposed public keys can’t expose private keys, and private keys never need to be transmitted
- Another form of authentication—a sender can sign a file with a private key to prove its origin to the recipient
Compared to symmetric encryption, the biggest downside to asymmetric encryption is that, broadly speaking, it tends to be slower.