Data Security: Encryption in the Cloud

1 comment

RICHARD MOULDS<BR/>Thales e-SecurityRICHARD MOULDS
Thales e-Security

As Vice President of Product Management and Strategy, Richard contributes his well-respected data protection expertise and thought leadership to the information technology security activities of Thales.

The third annual Cisco Global Cloud Index (2012–2017) states that 2014 is the first year the majority of workloads will be in the cloud, with 51 percent processed in the cloud versus 49 percent in traditional IT space. Cisco anticipates that “global data center traffic will grow threefold and reach a total of 7.7 zettabytes annually by 2017.”

Cloud services have taken the business world by storm, and all the data handled by the cloud must be secured. Encryption plays an important role in creating trust in the cloud.

Data security = top priority

Encryption use has risen sharply in the last several years and is deployed in a multitude of ways, from encrypting data in databases and file systems to data being transferred over public and internal networks.

This increase in enterprise data security is necessary and good, but it brings with it a risk of creating fragmentation and inconsistency – encryption sprawl – as organizations deploy the diverse technologies in different places to secure different types of data.

And if that weren’t enough, we have the cloud to consider with its own unique threats and challenges. With an undeniable value proposition, it is clear that the cloud is inevitable and protecting data within it will be a top priority.

More than 50 percent of businesses surveyed in the 2014 Encryption in the Cloud report confessed that they have sent sensitive or confidential data to the cloud. Only 11 percent of respondents said that their organization has no plans to use the cloud for sensitive operations. While it is encouraging that the use of encryption to protect sensitive data in the cloud is on the rise, it remains a cause for concern that over half of those respondents who store sensitive data in the cloud report that their data is “cleartext,” meaning that anyone can read it if they can get their hands on it.  That is a dangerous gamble, but it doesn’t have to be this way.

Effective key management

Opinions vary on how and where to use encryption in the cloud. The aforementioned report shows an almost equal split between those who encrypt data before it is sent to the cloud and those who choose to apply encryption directly within the cloud. Regardless of approach, key management remains a challenge as businesses walk a fine line between trust and control between their own organization and the cloud provider.

A well-planned encryption strategy, in fact, has as its foundation effective key management. Although many regard encryption itself as being black and white – data is either encrypted or not – the reality is that there is such a thing as good or bad encryption. Much of the variance comes down to implementation and key management. In light of this reality, it is good to see that 34 percent of respondents said that their own organization is in control of encryption keys when data is encrypted in the cloud. Only 18 percent of respondents report that the cloud provider has full control over keys.

Giving the provider full control may seem like a small matter, but it could have important implications. If the cloud provider owns the encryption keys, how can you determine if they’re safe? If someone files a lawsuit or presents a subpoena, will the cloud provider release these keys without your knowledge? In addition, a criminal would much rather steal keys than steal data. Stealing data is the modern equivalent of stealing money, yet stealing keys is like stealing the press that prints the money – an attack that keeps on taking.

Finding confidence in the cloud

Cloud services offer ease and convenience – and opportunities for malicious actors to steal data or worse, keys. Encryption is a vital component of any organization’s security strategy. Trust in the cloud is based on a full accounting of where your organization’s data needs to be secured and at what level. Proper encryption that enables you to retain control of the keys will protect your data and give you confidence in the cloud.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.

Add Your Comments

  • (will not be published)

One Comment

  1. Jason

    You need to cover other aspects of encryption in the cloud. e.g. If you are deployed in a DR/RaaS configuration how are you ensuring that you can decrypt your data at the Recovery Site? Our IaaS Provider can provide (SAN-based) encryption at rest at one or the other DC but not in a DR scenario. There is a lack of maturity here...