Community Blog Securing Ends with Data Encryption for the Cloud

Securing Ends with Data Encryption for the Cloud

This article explains Alibaba Cloud Data Encryption Service and its usage scenarios.

By Shantanu Kaushik

Cyberattacks cripple various enterprises and businesses regularly. Some trades and industries face malicious attempts more than others, but the extent of the damage for any industry can be substantial. Security is a concern for organizations since operational integrity is what keeps a business afloat. Cloud-native has helped organizations implement zero-trust security measures with hybrid cloud and multi-cloud architectures. The need for securing data while at rest and in transit requires an added protection layer.


Data Encryption is essential to protect sensitive and private data. You can use multiple algorithms to encrypt data for protection, such as DES, AES, and RSA. Cloud systems can implement automatic data encryption and decryption based on data transmission demands and data sensitivity.

After shifting to the cloud, organizations used cloud storage to store large files and databases. Storage solutions, such as Alibaba Cloud Object Storage Service (OSS), provide unlimited storage and identity-based authentication using Alibaba Cloud RAM. The deep integration offered by Alibaba Cloud provides seamless user access.

Information and data security are a primary concern for organizations. Gartner predicted, “The global information security market is forecast to grow at a five-year CAGR of 8.5% to reach $170.4 billion in 2022. Technology product managers will see new spending driven by regulations and increased awareness as organizations’ needs evolve to address more complex threats.”

In this article, we will explain Alibaba Cloud Data Encryption Service and its usage scenarios.

Data Encryption Service

Alibaba Cloud Data Encryption Service provides hardware security modules (HSM) over cloud-hosted hardware. Hardware security modules are hardware devices that process encrypted data (cryptographic operations) using encryption keys. Some of the primary benefits of Alibaba Cloud Data Encryption Service are listed below:

  • Supports secure random data generation
  • Supports role-based access systems for control using the Identity and Access Management system
  • Supports monitoring to maintain a healthy system
  • Supports requirement-based HSM instance scaling within your cloud deployment infrastructure. You can use the management console to adjust the configuration and specifications of your encryption and decryption keys to maintain requirements.
  • Extends support for multiple key types and secure keys storage
  • Offers a complete solution for managing encryption keys, including creation, destruction, import, and export. The complete control of the key management is assigned to the user for key creation within the HSM. The data encryption service manages the HSM hardware to maintain the performance and availability of your HSM in the cloud infrastructure.
  • Supports symmetric and asymmetric key types to facilitate data encryption and decryption
  • Supports asymmetric key verification and signing
  • Supports HMACs – Hash-based message authentication codes
  • Alibaba Cloud DES protects your private keys from the certification authority (CA) to provide the digital certificates to verify your identity. Alibaba Cloud Data Encryption Service and HSM can work with cryptographic signing operations.

Alibaba Cloud Data Encryption Service uses encryption keys to protect your data with hardware-based devices that allow you to access HSM instances within Alibaba Cloud Virtual Private Cloud (VPC). These instances are tamper-resistant and enable a single-tenant access system to protect your encryption keys. The Data Encryption Service also allows custom application mapping using industry-standard APIs, including JCE.

Usage Scenarios

Sensitive Data Protection

The Data Encryption Service is a hosted service that works with any other Alibaba Cloud solution. Some of the Data Encryption Service usage scenarios are listed below:

  • Alibaba Cloud Data Encryption Service supports Transparent Data Encryption (TDE) to protect sensitive data stored using tablespaces or databases as encrypted files. TDE stores the encryption keys using external security modules. It encrypts the sensitive data within the data files, enabling unauthorized access or unauthorized decryption.
  • Alibaba Cloud created the sensitive data discovery and protection product suite with the same idea of securing sensitive data. We will discuss it in more detail in the next article. Alibaba Cloud Data Encryption Service provides exception protection by encrypting your sensitive data related to high-yielding services from multiple domains, including financial services, e-commerce, public domain services, and more. Let’s take a look at an architectural model depicting the sensitive data encryption scenario on the chart below:


In this scenario, you can encrypt sensitive data and business secrets with the HSM integration in your application architecture.

Financial Services

Financial services are prone to cyberattacks. Financial motives are the primary reason for cyberattacks.

Risk Based stated, “Data breaches exposed 36 billion records in the first half of 2020.”

Let’s take a look at the Data Encryption Service architectural flow for financial systems on the chart below:


In this scenario, all of the online payments, card-based payments, app-based payments, and POS payments use a frontend system comprised of a settlement system that takes care of financial books, a payment system that processes the incoming payment, and a financial system to forward incoming and outgoing payments to the settlement system. All of these systems are covered using a proxy for added security measures. HSM issues the encryption keys at the backend to help with data security while in transit.

The strictest security and compliance requirements within the financial structure will ensure payment integrity and confidentiality during data in transit and at rest.

SSL Offloading

Websites working with the secured HTTP/HTTPS protocol use a public-private key pair. Each session uses a public key certificate to establish a secure HTTPS session for each client. Alibaba Cloud Data Encryption Service allows your SSL offloading directly with HSM by generating private keys. Processing from a web service allows SSL offloading without consuming any web server resources, maintaining the availability and efficiency of the web server.


Wrapping Up

The Data Encryption Service is available to all Alibaba Cloud users. You can use HSM to perform multiple operations, such as SSL offloading, TLS web server processing, transparent data encryption, and sensitive and financial data encryption. Cloud data must be secured when in transit and at rest to ensure data integrity. Alibaba Cloud Data Encryption Service lets you secure the most important aspect of your organization – data.

Upcoming Articles

  1. Developing an Enterprise Cloud Strategy - Part 1
  2. Developing an Enterprise Cloud Strategy - Part 2
0 0 0
Share on

Alibaba Clouder

2,606 posts | 737 followers

You may also like


Alibaba Clouder

2,606 posts | 737 followers

Related Products

  • Alibaba Cloud PrivateZone

    Alibaba Cloud DNS PrivateZone is a Virtual Private Cloud-based (VPC) domain name system (DNS) service for Alibaba Cloud users.

    Learn More
  • VPC

    A virtual private cloud service that provides an isolated cloud network to operate resources in a secure environment.

    Learn More
  • Data Security on the Cloud Solution

    This solution helps you easily build a robust data security framework to safeguard your data assets throughout the data security lifecycle with ensured confidentiality, integrity, and availability of your data.

    Learn More
  • Apsara Stack

    Apsara Stack is a full-stack cloud solution created by Alibaba Cloud for medium- and large-size enterprise-class customers.

    Learn More