2. Agenda
Encryption in the cloud
Controlling access to customer's data
Logging, Auditing and Incident Response
Compliance to Law and Regulation
2
3. Encryption – Common Terms
Symmetric encryption – The same encryption key is used for
encryption and decryption
Asymmetric encryption – A public key is used for encryption,
while a private key is used for decryption
Key Encryption Key (KEK) – The master key used for encryption
and decryption of data keys
Data Encryption Key (DEK) – The key used for encryption and
decryption of the customer’s data
Vault – A secure location for storing encryption keys
HSM – Hardware based vault for storing encryption keys
3
4. Encryption – Type of data encryption
Client Side Encryption – Encrypting customer’s data before
storing it in public cloud services
Server Side Encryption – Encrypting data at rest on the public
cloud services (such as storage, database, etc.), while the cloud
vendor controls the encryption keys
Customer Managed Key / Bring Your Own Key - Encrypting data
at rest on the public cloud services (such as storage, database,
etc.), while the customer controls the encryption keys
4
5. Encryption – Key Hierarchy
Customer’s data is stored in an object file store or in a database
Data encryption key (DEK) encrypts that customer’s data
The DEK is stored near the data itself
Key encryption key (KEK) / Master key, encrypts the Data
encryption key (DEK)
The KEK is stored in a secured vault / HSM
5
9. Controlling access to customer's data
According to the “Shared Responsibility Model”, cloud providers maintain the lower
layers of the infrastructure (Hardware, network, storage, virtualization, etc.)
In the rare cases where cloud vendor support engineer may need access to customer
content to resolve a customer issue, there are access control mechanisms to allow the
support engineer temporary access rights to customer data
Examples:
Customer Lockbox for Office 365:
https://www.microsoft.com/en-us/microsoft-365/blog/2015/04/21/announcing-
customer-lockbox-for-office-365/
Customer Lockbox for Azure VM:
https://azure.microsoft.com/en-us/blog/approve-audit-support-access-requests-to-
vms-using-customer-lockbox-for-azure/
Oracle Break Glass for Fusion Cloud Service:
https://cloud.oracle.com/opc/saas/fsdep/datasheets/oracle-break-glass-for-fusion-
cloud-ds.pdf
9