I’ve recently read a great post by Rich Mogull titled: “How to Tell If Your Cloud Provider Can Read Your Data (Hint: They Can)”. In his post Rich deals with the question of storing data in the cloud and provides valuable information on the problems of cloud data security and the actual capability of the cloud provider to read your data. I would like to further drill down and focus on Infrastructure as a Service and Platform as a Service (commonly abbreviated as IaaS and PaaS), and the Porticor approach to cloud data security.
Cloud encryption is doable – Cloud key management is the tricky part
Encrypting data security in an IaaS or PaaS scenario is obviously an achievable task. Multiple encryption technologies are available, and although not always an easy nor time efficient task, IaaS and PaaS cloud users can implement encryption in their cloud account. But as the title suggests, the bigger problem becomes managing your encryption keys in the cloud.
Once data is moved to the cloud and virtual environments, the question becomes “who do I trust?” In a virtual cloud environment, an enterprise’s data is no longer within their four walls thus encryption is such a critical element, but who can a cloud customer trust with the encryption keys?
One option is to store the keys in the cloud, either on the same cloud infrastructure you use for your data, or with a dedicated key management vendor. Essentially, you trust that the chosen provider would keep your keys safe. But recent security incidents highlight the obvious – Security providers are themselves exposed to attacks (Recent examples includes the VeriSign hack, and the RSA hack). Bottom line: never trust anyone with your encryption keys!
An alternative to trusting a provider with your encryption keys is to store the keys back at the enterprise, but that approach defeats the purpose of moving to the cloud because a physical server deployment will be required back in the data center, resulting in an expensive solution both in terms of software licenses and operational overhead, as well as the loss of important cloud advantages such as scalability and elasticity.
Cloud encryption – revolution required
Traditional encryption technologies which worked well inside the enterprise’s datacenter, do not migrate seamlessly to a cloud scenario. On the encryption level we’re seeing a long and complex deployment process which in many cases does not provide a complete solution to deferent operating systems, databases, and so on. Add it to the key management challenge described above, and you’ll have a pretty good idea why creating a secure encryption workflow in the cloud is a challenging process. In other words, evolution of encryption technologies to the cloud era simply doesn’t cut it. When we talk to customers about their requirements from a cloud encryption solution their list will usually contain security related requirements (e.g. the encryption solution must be secured itself, encryption keys should be managed directly by the customer, address compliance requirements, etc…) but also, and equally important – there are specific cloud requirements expected from a cloud data security solution. For example the ability to seamlessly scale up or down with the rest of the cloud environment (i.e. run on a large server during the day time and scale down to a small server during off-hours), and generally speaking deal with the complexity of the cloud.
Porticor is a cloud data security and key management system designed from day one to deal with those challenges. It is the industry’s first solution that provides trust and control for data at rest, while working 100 percent in virtual, public, private and hybrid cloud environments. It is the industry’s only cloud data protection system that delivers data security across virtual disks, databases, and distributed storage and file systems, and it is the industry’s first solution with patented split-key encryption technology which offers the security and trust of a system that is hosted inside the datacenter (for further reading download our white paper).