Safely storing sensitive information is one of the toughest problems in cloud computing. The solution is to encrypt data, but the critical questions are where to encrypt, and how.
The first requirement of successful encryption in the cloud, which some providers do not yet understand (or at least don't practice), is: Do not store the encryption key with the encrypted data. Doing so more or less negates any value gained from encrypting the data.
However, the solution is fairly simple, and there's no excuse for not implementing it.
In current shared environments, nobody is yet offering a virtual-machine solution that guarantees the integrity of the guest environment. This means that a malicious program could be monitoring the guest's encryption-decryption logic, capturing both plain-text data and the encryption key.
If the application receives plain-text data and encrypts it in the cloud, there's no easy fix for this right now, other than running on bare metal—installing applications directly on the hard drive, not in the OS.
Some businesses, though, don't encrypt in the cloud, but encode it before it reaches the cloud service. This works in cases such as a company using a customer resource management system only from its offices, or a business where all users either are at headquarters or VPN into headquarters before connecting to the cloud service.
Several companies make appliances (virtual or physical) that proxy data leaving an office on the way to a cloud service and encrypt or tokenize it before sending it to the cloud. This allows them to use a cloud service without worrying about data loss—as long as they only intend to access the cloud service from behind that appliance.
%20Logos%202022/sharetru-white-logo.svg){kind=logo}