Question

Given that cryptography has been demonstrated to be a strong defense and essential part of the information security management strategy, explain why this is so and give examples of how cryptography can be used to specifically protect information moving inside the public cloud. Consider specifically the need for security between an organization and a cloud based SaaS provided say for “off campus” e-mail services.

Answer 1

First, let's understand what is Cryptography in information security management - Cryptography is used to encrypt data in such a way that its meaning is not revealed while exchange. Information in today's age is the most important aspect of any organization and to protect these information sets, layers of encryption are executed. Cryptography hence plays an essential role in confidentiality, integrity and data retention.

For example - A message in the organization on Saturday is floated on an off-campus email service

Message - Meeting at five (this is plain text message)

OGGVKPI CV HKXG (Ciphertext message where one letter is substituted by one skipped letter)

This is what earlier cryptography used to do to ensure the security of the message. But this was more of pattern-driven.

Now, cloud-based software-as-a-service (SaaS) means that a cloud provider is providing all the facilities and the organization is only accessing the cloud and adding data into it. Since cloud provider provides infrastructure it becomes their responsibility for the security of the network and physical security of the cloud system.

Therefore, to ensure message encryption to hide its meaning various other ciphers were introduced to protect data moving inside the cloud. For instance, Polyalphabetic Substitution Ciphers which includes the cipher key and plain text as mentioned in the table below:

Key

S

E

C

U

R

E

S

E

C

U

R

E

Plain Text

g

o

t

o

t

h

e

o

f

f

i

c

In this way, each letter in the cipher key corresponds to the plain text message, here the key is SECURE and each of the row element represents the cipher message to encrypt the message. This can be used to encrypt data which is difficult to decode as the reference data set is large and the real value or message is kept in the index table.

Then there is Transposition Cipher: In this Type of Ciphering, each letter is used in separate lines to encrypt the meaning of the message. For example:

To write an e-mail message like 'Do you have the training module'?

d

y

u

a

e

h

t

a

n

n

m

d

l

o

o

h

v

t

e

r

i

i

g

o

u

e

Here the message is written in the separate rows and columns to protect the meaning.

Codebooks is another such technique used in data entering the cloud, where symbols are used to denote the meaning of a message. For example:

You	are	late	for	the	meeting
$	#	%	!	*	^

Cloud providers can also help organizations with regulations and certifications like SOC 2 and COBIT and layout certain guidelines for the organization to comply with.

And we also have a digital signature which does not fall in the encryption but is a good way to communicate and send emails on cloud-based platforms to protect the message by adding a digital signature or password.