|By Gilad Parann-Nissany||
|June 25, 2012 05:30 AM EDT||
Cloud encryption keeps coming up as one of the hottest topics for enterprises migrating to the cloud. IT departments are constantly pushed to cut costs and utilize compute resources more efficiently, hence cloud computing is the natural evolution, yet at the same enterprises cannot compromise on cloud security, and cloud encryption should be considered high on the list as it segregates and “hides” your data from other virtual entities hosted on the same physical cloud infrastructure.
What’s my cloud provider’s encryption approach?
Cloud data security and cloud encryption comes in many forms and shapes. While some cloud providers will provide the encryption service, some will provide a “shopping list” of cloud encryption companies, and others will provide both. But which one is best for your needs?
A good place to start would be to define what your needs are J. Many enterprises tend to assume that data encryption automatically guarantees data confidentiality but that’s not the case. Data confidentiality is achieved only if you, the enterprise, maintain control over both the encryption process as well as the encryption keys.
If anyone else but your authorized team controls the encryption process, or manages the encryption keys for you – data confidentiality is not achieved. If cloud security is a regulatory requirement, or if intellectual property should be protected, enterprises should consider deploying and managing encryption by themselves.
Unfortunately this not an easy task to accomplish. While there are many cloud encryption technologies out there, most will answer only some of the requirements by working only with specific database kinds, or supporting a limited range of your operating systems. The ideal cloud encryption solution is the one supporting all your operating systems and databases types.
What about the encryption keys?
Now that you’ve figured out your encryption strategy and narrowed down your search to a limited number of encryption solutions who can address your cloud security requirements, there’s still the critical question of who’s responsible for my encryption keys management?
As mentioned above, if your enterprise requires data confidentiality, it is up to you to manage the encryption keys. Until recently, there were two available options; Consume key management as a service (which is equivalent in essence to trusting another entity with your encryption keys); or deploying a key management server back in your data center and integrate it with your cloud encryption software of choice, a fact which frustrates many IT managers since it eliminates many of the cloud benefits such as scalability and flexibility and burdens them with another on premise server to manage while all they wanted to do to begin with is to migrate to the cloud.
Fortunately, new and emerging technologies have been recently announced to resolve the cloud key management pain. One example is the split-key encryption technology (read more about it here or download the whitepaper) which for the first time enables enterprises migrating to the cloud to use a key management as a service without scarifying trust, by splitting an encryption key into two parts. The first part – the master key – is common to all data objects in the application. It remains the sole possession of the application owner and is unknown to the cloud provider or the encryption vendor; while the second part is different for each data object and is stored by the Key Management Service.