Skip navigation

How the Cloud Learned to Stop Worrying and Love Encryption

Because of the nature of our jobs and the mission critical importance of the IT systems we support, it’s no surprise we’re a bunch of worriers, writes Mike Klein of Online Tech. For those of us who work in data centers for companies in regulated industries, security has a special place atop the list of things to worry about. Encryption is one of those security steps that's required by regulation, and makes sense to ease security worries.

Mike Klein is co-CEO of Online Tech, which provides colocation, managed servers and private cloud services.

Mike KleinMIKE KLEIN
Online Tech

It's straight out of a movie.

The film buffs among you might recognize that the title of this article is borrowed from the classic dark comedy Dr. Strangelove directed by Stanley Kubrick and starring George C. Scott and Peter Sellers. It’s about a rogue general during the height of the Cold War who causes a nuclear cataclysm because he’s overly worried about what the Russians are putting in Americans’ drinking water. Although the plot of the movie is about the Cold War, many of the themes of the movie will bring a knowing smile to people who work with data centers for a living: Complex technology that might fail at any moment. Fear of breakdowns in security systems. Fail-safe protocols that are inevitably susceptible to human error. Nerdy folks in dull, fluorescent-lit, windowless rooms worrying about worst case scenarios. If it weren’t for the nuclear bombs in the movie, it could be a film about data centers, couldn’t it?

Because of the nature of our jobs and the mission critical importance of the IT systems we support, it’s no surprise we’re a bunch of worriers. Maybe not paranoid like the cuckoo folks in Dr. Strangelove, but there are plenty of things that keep us up at night, with good reason. For those of us who work in data centers for companies in regulated industries, security has a special place atop the list of things to worry about.

Regulations like HIPAA and PCI and Sarbanes-Oxley put a heavy emphasis on security in order to protect patient privacy and the security of financial transactions, and encryption needs to be a central part of a company’s security strategy in order to ensure that their IT operations are compliant.

The Encryption Conundrum

So why is encryption important? The short answer is that the regulations require it, and what regulators say goes. HIPAA has explicit rules about how encryption should be deployed in the data center and IT networks. PCI does, too, for protection of financial information. Sarbanes-Oxley is a little more coy about encryption. SOX language doesn’t explicitly mention encryption, but it’s impossible to achieve all of its security requirements without employing encryption technology. So all of the regulations are unanimous: Encryption isn’t negotiable.

It’s no surprise that encryption is a major focus of each of these regulations: Proper encryption can not only prevent security breaches, but also minimize the impact if a breach happens. If customer information or patient information is lost or stolen, encryption provides an additional layer of security that prevents bad guys from doing anything with that data. As a last line of defense, it can save companies millions of dollars in costs if a security breach does happen, and help them avoid costly fines, legal actions and negative publicity.

If encryption has so many benefits from a security perspective, why isn’t it ubiquitous? Because encryption in traditional corporate data centers is hard, expensive, prone to human error (with all the responsibilities related to key management, for example) and it creates performance bottlenecks that can make the phone ring off the hook for data center professionals. Those issues conspire to make encryption a major pain in the you-know-what in an enterprise data center environment, but it’s even worse in the cloud. Encryption in the cloud has even more technical challenges…and is even more expensive…and often has an even more pronounced impact on performance. Those drawbacks have discouraged companies from being aggressive about encryption, despite what the mandates say. In fact, less than half of companies that work under mandates like SOX, HIPAA and similar regulations have successfully implemented encryption processes in their cloud deployments.

You Better Have A Surf Board

So what does this have to do with us in the data center industry? Everything—because clients look to us to solve these issues when they run into a dead end themselves. We are trusted partners and collaborators on their data center challenges, and—if you can pardon the oceanic metaphor—I see a rising swell of encryption requests on the horizon that will build and build in size as it make its way toward data center and colocation providers in the coming months. Healthcare, financial services and retail companies are increasingly looking to their IT partners to solve their encryption problem for them, so the wave will be on us before you know it—and we all need to get a surf board sooner rather than later.

In the past (particularly in corporate data centers) the most common strategy for encryption was to “bolt it on”. Please forgive the colloquial language, but descriptive language like that is the best way to describe what it looked like. Data center folks often physically attached encryption hardware or suggested bolt-on software tools. It wasn’t pretty, but third-party solutions were the easiest way to address the need to add encryption and cross that urgent request off to-do lists.

The “bolted on” approach does not work at scale in a cloud environment. It’s hard to deploy, support and can significantly degrade application performance. Data center and colocation companies need a better approach to encryption for clients in regulated industries. The approach that makes the most technical and practical sense is a “built-in encryption” model. Built-in encryption involves four elements:

  • Encryption of data in transit
  • Encryption of data at rest on the disks
  • SSL certificates
  • Encrypted backups

Death, Taxes and Encryption

There is a famous saying about the only two things that are guaranteed in life, but I feel confident that cloud providers can expand that list to include a third: death, taxes and encryption. Our clients expect us to deliver encrypted solutions, and we need to be prepared.

Online Tech has developed a model for an “encrypted cloud” that takes care of each of the encryption steps that clients have difficulty doing themselves (encryption of data in transit and at rest, SSL certificates and encrypted backups). Encryption for data at rest is built into the server architecture rather than bolted on as plug-in software. Building encryption into a SAN’s server hardware removes performance bottlenecks and makes it easy to fulfill the encryption at rest part of the equation. This ensures there is no risk of stored data exposure when drives are removed or arrays are replaced. This model for an encrypted cloud also eliminates the problems related to key management, which has a million and one opportunities for human error. A truly encrypted cloud environment automates the key generation process as well as key distribution and other key management responsibilities.

Sarbanes-Oxley, HIPAA and PCI aren’t going anywhere any time soon, so that means encryption requirements are here to stay. Encryption is our client’s problem, so that means it is our problem. No need to worry, though. There are new models for tackling this encryption challenge in the cloud, and the data center companies that learn to stop worrying and love encryption are the ones who will save the day for our clients.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish