Baffle today announced it has developed an ability to automatically encrypt data before it is stored in the Amazon Simple Storage Service (Amazon S3) cloud service.

Company CEO Ameesh Divatia said one of the cybersecurity issues that organizations regularly encounter is a failure to encrypt data stored in a cloud service. The reason this occurs can generally be traced back to either simply forgetting to turn on encryption or, occasionally, an inability to effectively manage the keys used to encrypt that data, he added.

Only about half the data stored on the cloud is encrypted, making it more vulnerable to cyberattacks. Baffle is addressing that issue by now adding an ability to encrypt data as it is ingested using a platform that also centralizes the management of encryption keys, said Divatia.

The company can provide that capability by applying data masking, tokenization and encryption at the field, object or bucket level to ensure sensitive data can’t be accessed from unauthorized users or downstream systems. It also makes use of a reverse proxy that eliminates any need to change the underlying code being used to store data in an S3 bucket.

Baffle intends to also provide a similar capability for other cloud services, including the Microsoft Azure Blob Storage service, said Divatia.

Many of the individuals that are programmatically invoking cloud services lack cybersecurity expertise so it’s not uncommon for configuration mistakes that, for example, inadvertently leave data exposed to be made. Unfortunately, far too many cybersecurity teams lack visibility into where data is stored in the cloud, so in many cases, those mistakes are not discovered until after there has been a cybersecurity breach.

Cloud service providers such as Amazon Web Services (AWS) regularly encourage organizations to encrypt everything, including data, but it’s up to each organization to manage that process as part of any shared responsibility approach to ensuring cloud security. Too often, however, the end users of a cloud service will assume the cloud service provider is providing security capabilities for free that go beyond securing the core underlying infrastructure-as-a-service (IaaS) platform.

Cybercriminals, in the meantime, have become more adept at scanning for cloud vulnerabilities that enable them to launch, for example, a ransomware attack to encrypt data. If that data has already been encrypted, however, it’s all but useless unless cybercriminals had previously managed to gain access to the keys required to decrypt it. One of the primary reasons cybercriminals are so intent on stealing the credentials of IT and cybersecurity professionals is to gain access to those keys.

It’s not clear to what degree encrypting more data might thwart cyberattacks but given how much data in the cloud is potentially vulnerable any effort to secure that data better is going to reduce the potential level of stress any cybersecurity team experiences. After all, it may not be the cybersecurity team that created and then stored sensitive data in the cloud, but it is without a doubt going to be their responsibility to clean up a mess that with a little additional effort could have been avoided altogether.