Most cloud vendors offer object storage services as part of their offering. For example, Amazon has its S3 service and Microsoft’s Azure offers Blob storage. These are highly scalable solutions that have some built-in security mechanisms to protect stored data.
There are two important security capabilities:
While these capabilities are better than nothing, they are not the optimal solution. The proof for this is in reading the latest published cloud security breaches.
Capital One, for example, had the various permissions in place – even though some will argue that their permissions were too broad – and the storage was encrypted. Yet still, the attacker was able to exploit a software vulnerability and take all the data in an unencrypted format.
The same goes for misconfiguring storage as public facing; if it is encrypted, why can anyone access it in clear format? And does placing a storage as public facing eliminate the encryption option?
Critically, how can we prevent the next data breach?
There are few issues with data-at-rest encryption in the cloud vendors’ offerings:
In other words: if we encrypt the data, but allow access without having the capability to strongly identify the entity that accesses the data – are we really protecting the data?
If we are tying permissions and encryption together, we need to have strong identification of the software running in the first place.
ARMO is the only solution that really protects your data, by providing a strong identity to your workload. Based on this identity, you set the access permissions to the data, making sure that the workload you grant permissions to can read and/or write data. ARMO ensures that this workload is not compromised, by constantly verifying its identity. In case it is compromised, ARMO will not allow it to access the data.
In addition, ARMO manages the encryption keys, making sure that no one, other than the authorized workload, can access them – even when they are loaded to the workload’s memory.
Using ARMO, even in case of misconfiguration, when you accidently allow public access to your object storage, the data will still be encrypted. Only the allowed workloads are able to access the data, securely – this is the only solution that provides true data protection! And the real benefit is that you do not need to change your original code or the cloud configuration; ARMO seamlessly adds strong data protection with zero friction. This applies to any workload, including Windows, Linux, Go, .Net and so on; wherever it is, including cloud and on-premises.