Cloud security is again a top concern for citizens and organizations alike. NSA’s PRISM program, and the fact that information residing in multiple cloud-based services have been allegedly analyzed by the NSA, raises many questions around cloud security not only for SaaS consumer portals (such as Facebook, Gmail and more), but also for Infrastructure as a Service (IaaS) cloud deployments such as Amazon Web Services. So far, it seems IaaS was not tapped as part of PRISM, but we are already hearing questions: how secure is the corporate information residing in Infrastructure as a Service, can the government lay its hands on that information without anyone knowing about it, and what can be done to keep control of our information in the cloud?
Encryption is only one part of the solution
Indeed, when looking at cloud security, cloud encryption is often one of the first solutions that come to mind. Encryption enables an organization to build “mathematical walls” around the data and therefore to keep prying eyes away from the sensitive data. But many tend to forget that encryption is only one part of the cloud security issue. The second and more complicated part is key management. Think about the following scenario: your information resides in cloud infrastructure, you encrypt your data, but the encryption key resides unencrypted in your virtual server or (even worse) with hardware owned by the cloud provider. In such a scenario – data encryption achieves very little.
Split-key management enables cloud security
To effectively encrypt and secure your cloud data, there’s a need for a different key management approach. One that is designed specifically for the cloud rather than “welded” to it. An example for such technology is split-key encryption. Split-key (as the name insinuates) splits an encryption key in two. One “half” is known only to the end user, while the second is known to an automated, secure key-management system. The two half keys are joined inside the customer’s IaaS account. These keys are always encrypted – even while in use – so the automated key management system actually never knows the keys.These techniques enable true cloud security by guaranteeing, for the first time, that the encryption keys are not visible to the IaaS provider, while running as a 100% cloud solution (to read more – download the white paper here).
Cloud security is achievable
To conclude this short article, we strongly believe that cloud security can be achieved, but to do so there’s a need for a new perspective and new tools designed for the cloud. Implementing traditional security systems, or trusting the cloud provider to secure your information for you, simply don’t cut it anymore.