Encryption at rest in Elastic Cloud: A strategic imperative for enterprise security

Blog_image_for_BYOK_8.14_blog-720x420.png

Have you been wondering if you can bring your own key (BYOK) to encrypt your data and snapshots in Elastic Cloud? If yes, you’ll enjoy this blog post series.

As organizations increasingly rely on cloud software to streamline processes and enhance collaboration, data security becomes a non-negotiable requirement. Encryption at rest is a cornerstone of data security strategies, providing a robust layer of protection for data stored within cloud-based environments. In this series, we’ll explore the significance, benefits, and limitations of encryption at rest. We will also see how you can use customer-managed keys to encrypt data at rest in Elastic Cloud by integrating with the services of leading cloud service providers, such as AWS KMS, Azure Key Vault, and GCP Cloud KMS.

Encryption at rest: A shield for your data

At its core, encryption at rest ensures that sensitive data remains secure even when it resides within the storage infrastructure of a SaaS application. Unlike encryption in transit, which safeguards data during transmission, encryption at rest protects data when it’s stored — whether in databases, file systems, or cloud storage.

Security benefits

  1. Confidentiality: Encrypted data remains confidential even if unauthorized parties gain access to the storage infrastructure. Without the decryption key, the data remains unintelligible.

  2. Compliance: Many regulatory frameworks (such as PCI-DSS, HIPAA, and FERPA) mandate encryption of sensitive data at rest. Compliance with these regulations is crucial for software providers and their customers.

Addressing threats

  1. Physical theft: If a server or storage device is stolen, encrypted data remains protected. Attackers cannot read the data without first decrypting it using the encryption key.

  2. Data leakage: Encryption can prevent accidental data exposure due to misconfigured permissions or vulnerabilities.

  3. Cloud provider breaches: While cloud providers implement robust security measures, encryption at rest ensures an additional layer of defense against breaches.

The balancing act: Limitations of encryption at rest

Despite its benefits, encryption at rest is not a panacea. It comes with a performance overhead as encrypting and decrypting data consumes computational resources and can also increase latency of system response times. Striking a balance between security and performance is essential. There is also complexity in managing encryption keys. Enterprises must decide between cloud-managed keys (provided by the SaaS platform) and customer-managed keys based on security requirements such as IAM, storage and retention policies.

Customer-managed keys: Why enterprises should care

Elastic Cloud has supported encryption at rest with Elastic-managed keys for a while. We have been listening to our customers’ needs and believe they should prioritize using customer-managed keys to encrypt their data and snapshots in Elastic Cloud for several reasons:

  1. Control: With customer-managed keys, businesses retain control over their encryption keys. You can rotate keys, revoke access, and audit key usage — an essential capability for security-conscious enterprises.

  2. Compliance: Some industries require customers to manage their keys to comply with specific regulations. Customer-managed keys ensure alignment with industry standards.

  3. Trust: Customer-managed keys build trust. Enterprises know that their data remains confidential.

Bring your own key, encrypt your Elastic Cloud data

As of this writing, Elastic Cloud supports customer-managed keys from AWS KMS. We will also support Azure Key Vault and GCP Cloud Key Management in upcoming releases.

AWS Key Management Service (KMS)

  • AWS KMS provides a scalable and secure key management solution. SaaS providers can integrate KMS to manage encryption keys for their services.

  • KMS offers features like key rotation, audit trails, and fine-grained access controls.

  • SaaS applications can use KMS to encrypt data before storing it in Amazon S3, RDS, or other AWS services.

You can create Elastic Cloud deployments and encrypt their data by providing an AWS key ARN (Amazon Resource Name) in Elastic Cloud UI or the payload of your API request. Elastic Cloud also automatically handles any key rotation or revocation request from AWS KMS.

Learn more about how to integrate AWS KMS with Elastic Cloud in the product documentation or in the second blog of this series.

Azure Key Vault

  • Azure Key Vault serves as a centralized key management service in Microsoft Azure.

  • SaaS applications hosted on Azure can leverage Key Vault for managing encryption keys.

  • Key Vault integrates seamlessly with Azure services, including Azure Blob Storage and Azure SQL Database.

You can create Elastic Cloud deployments and encrypt their data by providing an Azure Key Vault key ID in Elastic Cloud UI or the payload of your API request. Elastic Cloud also automatically handles any key rotation or revocation request from Azure Key Vault.

Learn more about how to integrate Azure Key Vault with Elastic Cloud in the product documentation or in the third blog of this series.

GCP Cloud Key Management

  • GCP KMS provides a robust and scalable key management solution within the Google Cloud Platform. 

  • It offers features such as key versioning, access control lists, and encryption key rotation.

  • GCP KMS can be easily integrated with other Google Cloud services, such as Google Cloud Storage and Google Cloud SQL.

You can create Elastic Cloud deployments and encrypt their data by providing a Google Cloud Key resource name in Elastic Cloud UI or the payload of your API request. Elastic Cloud also automatically handles any key rotation or revocation request from Azure Key Vault.

Learn more about how to integrate Google Cloud KMS with Elastic Cloud in the product documentation or in the fourth blog of this series.

A piece of the security puzzle

While encryption at rest isn’t a complete security solution, it significantly reduces risks associated with data storage. Enterprises must embrace customer-managed keys and explore cloud provider services like AWS KMS, Azure Key Vault, and GCP Cloud Key Management. Remember, encryption at rest is just one piece of the puzzle — comprehensive security requires a layered approach.

In the second blog of this series, we will focus on how to set up AWS KMS with Elastic Cloud.

Learn more about securing your cloud deployment with Elastic Cloud.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.