METHOD FOR COMBINED DATA ENCRYPTION IN CLOUD ENVIRONMENTS
DOI:
https://doi.org/10.28925/2663-4023.2025.30.901Keywords:
cryptographic data protection, corporate cloud environments, Zero Trust, cryptographic key management, homomorphic encryptionAbstract
The article is devoted to the development of a cryptographic data protection method for corporate cloud environments based on the Zero Trust concept, taking into account the requirements for performance, scalability, and predictable latency. The introduction substantiates the relevance of the topic in the context of the transition of corporate systems to cloud services, the growth of cyber threats, and the need to combine cryptographic strength with practical operational constraints. The section reviewing recent studies examines the regulatory and scientific foundation of the research, covering both international and national information security standards, Zero Trust approaches, access control models, and encryption methods. On this basis, the paper formulates the problem of the absence of an integrated method that would simultaneously consider the threat model, separation of trust levels, key management, and time constraints typical of high-load systems.
The research part shows that homomorphic encryption, despite its advantages for processing encrypted data, cannot be used as the basic storage protection mechanism because of substantial computational overhead. Its use is justified only as a separate service layer for specialized scenarios. The main attention is focused on the architectural principles of the method: distrust of the provider infrastructure, client-side execution of critical cryptographic operations, and a formalized cryptographic context.
The paper defines protection profiles for object, file, and network block storage. For object and file access, authenticated symmetric encryption with additional authenticated data is proposed. For network block storage, the method specifies sector-level authenticated encryption and XTS-AES only in combination with separate cryptographic authentication. A structured approach to deterministic key derivation, key rotation, and key isolation within a trusted key management domain is also formulated. The conclusions summarize that the proposed method can be used for the design or modernization of corporate information protection systems.
Downloads
References
State Standard of Ukraine. (2023). DSTU ISO/IEC 27001:2023. Information security, cybersecurity and privacy protection. Information security management systems. Requirements (ISO/IEC 27001:2022, IDT). https://online.budstandart.com/ua/catalog/doc-page.html?id_doc=104398
Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). Zero Trust Architecture. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-207
State Standard of Ukraine. (2014). DSTU 7624:2014. Information technology. Cryptographic data protection. Symmetric block transformation algorithm “Kalyna”. https://online.budstandart.com/ua/catalog/doc-page.html?id_doc=65314
State Standard of Ukraine. (2014). DSTU 7564:2014. Information technology. Cryptographic data protection. Hash function “Kupyna”. https://usts.kiev.ua/wp-content/uploads/2020/07/dstu-7564-2014.pdf
Hulak, H., Buriachok, V., Skladannyi, P., & Kuzmenko, L. (2020). Cryptovirology: Security threats to guaranteed information systems and measures to combat encryption viruses. Cybersecurity: Education, Science, Technique, 2(10), 6–28. https://doi.org/10.28925/2663-4023.2020.10.628
Partyka, A., & Zakharova, Y. (2024). Security model and data access control in cloud services based on the Identity and Access Management (IAM) mechanism. Ukrainian Scientific Journal of Information Security, 30(1), 12–20. https://doi.org/10.18372/2225-5036.30.18575
Vavilenkova, A. (2024). Threats from the use of cloud services in cybersecurity. Cybersecurity: Education, Science, Technique, 2(26), 409–416. https://doi.org/10.28925/2663-4023.2024.26.704
Shkitov, A., & Kropyvnytskyi, D. (2024). Synthesis of typical information protection algorithms in corporate networks. Management of Development of Complex Systems, (60), 129–135. https://doi.org/10.32347/2412-9933.2024.60.129-135
Hulak, H., Zhdanova, Y., Skladannyi, P., Hulak, Y., & Korniiets, V. (2022). Vulnerabilities of short message encryption in mobile information and communication systems of critical infrastructure objects. Cybersecurity: Education, Science, Technique, 1(17), 145–158. https://doi.org/10.28925/2663-4023.2022.17.145158
State Standard of Ukraine. (2017). DSTU ISO/IEC 27017:2017. Information technology. Security techniques. Code of practice for information security controls based on ISO/IEC 27002 for cloud services (ISO/IEC 27017:2015, IDT). https://online.budstandart.com/ua/catalog/doc-page.html?id_doc=75487
National Institute of Standards and Technology. (2020). Recommendation for Key Management: Part 1 – General (NIST Special Publication 800-57 Part 1 Rev. 5). https://doi.org/10.6028/NIST.SP.800-57pt1r5
Marcolla, C., Sucasas, V., Manzano, M., Bassoli, R., Fitzek, F. H. P., & Aaraj, N. (2022). Survey on Fully Homomorphic Encryption, Theory, and Applications. Proceedings of the IEEE, 1–38. https://doi.org/10.1109/JPROC.2022.3205665
Gong, Y., Chang, X., Mišić, J., Mišić, V. B., & Chang, X. (2024). Practical solutions in fully homomorphic encryption: A survey analyzing existing acceleration methods. Cybersecurity, 7, Article 5. https://doi.org/10.1186/s42400-023-00187-4
Junior, M. A., de Oliveira, R. A. R., da Silva, A. A., & de Souza, J. N. (2025). Cloud data privacy protection with homomorphic algorithm: A systematic literature review. Journal of Cloud Computing. https://doi.org/10.1186/s13677-025-00774-5
Chillotti, I., Gama, N., Georgieva, M., et al. (2020). TFHE: Fast Fully Homomorphic Encryption over the Torus. Journal of Cryptology, 33, 34–91. https://doi.org/10.1007/s00145-019-09319-x
Acar, A., Aksu, H., Uluagac, A. S., & Conti, M. (2018). A survey on homomorphic encryption schemes: Theory and implementation. ACM Computing Surveys, 51(4), 79:1–79:35. https://dl.acm.org/doi/10.1145/3214303
Halevi, S., & Shoup, V. (2014). Algorithms in HElib. In J. A. Garay & R. Gennaro (Eds.), Advances in Cryptology – CRYPTO 2014 (Vol. 8616). Springer. https://doi.org/10.1007/978-3-662-44371-2_31
McGrew, D., & Viega, J. (2005). The Galois/Counter Mode of Operation (GCM). Submission to NIST Modes of Operation Process. National Institute of Standards and Technology. https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
Gueron, S., Langley, A., & Lindell, Y. (2019). AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption. RFC 8452. https://doi.org/10.17487/RFC8452
State Standard of Ukraine. (2022). DSTU EN ISO/IEC 19790:2022. Information technology. Security techniques. Security requirements for cryptographic modules (EN ISO/IEC 19790:2020, IDT; ISO/IEC 19790:2012, including corrected version 2015-12, IDT). https://online.budstandart.com/ua/catalog/doc-page.html?id_doc=100251
National Institute of Standards and Technology. (2019). FIPS 140-3:2019. Security Requirements for Cryptographic Modules. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf
Chen, L. (2022). Recommendation for key derivation using pseudorandom functions (NIST SP 800-108 Rev. 1). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-108r1
Barker, E., Smid, M., Branstad, D., & Chokhani, S. (2019). Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations (NIST SP 800-57 Part 2 Rev. 1). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-57pt2r1
Gueron, S., Langley, A., & Lindell, Y. (2019). AES-GCM-SIV: Nonce misuse-resistant authenticated encryption (RFC 8452). RFC Editor. https://doi.org/10.17487/RFC8452
Cloud Security Alliance. (2023, December 19). Key Management Lifecycle Best Practices. Cloud Security Alliance. https://cloudsecurityalliance.org/artifacts/key-management-lifecycle-best-practices
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Олександр Трофімов
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
