The Many Colors of Cloud Encryption
Mar 31, 2011 5:00 AM PT
Cloud computing is a priority for enterprises seeking greater agility, operational efficiency and overall cost reduction, but security concerns continue to inhibit its use. Half of all companies not adopting cloud computing cite security as the reason, according to a Forrester Research October 2010 study, "Security and the Cloud."
Whether considering a private cloud or public cloud, IT professionals face new security and compliance challenges. As data moves to the cloud, it can migrate internally to a mixed trust environment or outside of the traditional corporate perimeter to environments that lead to nightmare scenarios among security professionals. While non-sensitive data in the cloud poses little concern, securing sensitive data is a major challenge. Encryption, when properly deployed and managed, can enable enterprises to safely cloud-enable applications and control sensitive corporate or personal information in the cloud.
In determining the correct approach for encryption in the cloud, it is necessary to evaluate whether the chosen approach will support business needs. How can I run applications in the cloud while avoiding application redesign or recoding? How can I encrypt data generated by applications running in the cloud but maintain custodianship of keys? Will encryption hinder application performance? Will it allow policies enabling a separation of duties between IT operations, IT security, and cloud administrators?
"The cloud" can be a nebulous concept with many different interpretations, and security depends on the "cloud formation" one uses.
Most larger enterprises are aggressively virtualizing their environments and moving to private clouds that provide the operational and cost-benefits generated by cloud characteristics such as self-service, rapid elasticity, measured/metered service, resource pooling, and broad network access. Private clouds pose new challenges since pooling computing resources can result in a mixed-trust environment requiring segregated data.
The public cloud service models, be it Software as a Service (SaaS), Platform as a Service (PaaS) or Infrastructure as a Service (IaaS), pose new challenges to protecting and controlling sensitive data. In all cloud delivery models, be it SaaS, PaaS or IaaS, the customer is ultimately accountable for securing data, but the degree to which the cloud services' consumer must take direct responsibility varies. A good way to understand responsibility of securing data is to read the "Security" section of your contract or terms of service.
Typically in SaaS and PaaS environments, the cloud service provider assumes much of the responsibility for security. For IaaS environments, however, security is a shared responsibility wherein the IaaS provider might provide some security basics like a perimeter firewall and load balancing to avoid DDoS attacks, but the responsibility for securing and controlling data typically falls to the cloud customer.
Enterprises can directly control security for private clouds and IaaS, and encryption provides a proven method of protecting and controlling data.
Using encryption ensures that your data is unreadable if there is a data breach, and a good solution that provides robust separation of duties helps minimize the possibility of a breach.
Some traditional approaches to encryption lose their applicability in a cloud environment. Disk and switch encryption provide security for data within the company's firewall but are of little relevance in a multi-tenant cloud world where the cloud service provider provisions the infrastructure.
The most effective approach protects information as close as possible to the source while minimizing any re-architecting or recoding that might delay cloud application deployment. Data can be encrypted in a few different ways in private clouds and IaaS including the following:
- Volume-based technologies
- Application-focused technologies
- File-based technologies
Volume-based encryption scrambles data at the mounted storage volume layer. The data is unreadable while unmounted and without encryption keys, but becomes readable to all users with access to the cloud server instance once the storage volume is mounted and the keys unlock the data. The upshot of this is that while it does protect unmounted data and backups from prying eyes, it typically does little to enforce the separation of duties between the IT operations and the IT security teams. Enforcing a separation of duties policy is essential given insider threats; otherwise the same individual has access to all data without security checks and balances.
Application level encryption is more frequently seen in PaaS environments. While application level encryption protects the data, it has to be built into the application itself. This can mean a custom application design, resulting in a higher cost and implementation delays compared to file-based or volume-based encryption that operate with transparency.
File-based encryption works for structured and unstructured data. This method encrypts data at the point of access, enforcing encryption and enabling access control and key management policies at the server, process and usage layers. It can typically be deployed in virtual, private and public cloud environments.
Policy and Key Management
Another important element of encryption is policy and key management. The keys are used to decrypt information and policies determine when keys are distributed. Keys must be secured against unauthorized use, yet available to authorized users when policy dictates.
Hosted key management services handle all key-related issues, enabling quick deployment. Since third parties host the service, there are external risks to consider. Issues include ensuring robust operational procedures (backup/restore, disaster recovery, etc.) and business risks (bankruptcy). More importantly, organizations should ensure that appropriate service level agreements (SLAs) are in place before allowing a hosted provider to be custodian of keys , especially when the sensitive data being protected is governed by regulatory compliance requirements.
On-premises key management allows customers to maintain custody of their encryption keys and apply consistent policies across the physical, virtual and cloud world (the much-desired "single pane of glass" for management). This enables enterprises to minimize the number of key management platforms in their IT environment and avoid "pools" of encryption keys. The up-front costs for such systems may make them inappropriate for smaller businesses or ad hoc cloud usage.
The cloud provides compelling business benefits in terms of operational agility and costs savings. Concerns over security, while certainly justified, shouldn't prevent a company from moving to the cloud. Identifying which data needs protection and deploying the optimal encryption approach enables businesses to leverage the cloud while maintaining adequate security.