(Ping! Zine Issue 70) – Using the public cloud for business purposes, especially when sensitive data is concerned, may raise concerns since the cloud doesn’t come with walls, doors and locks. But just as safety in physical entities comes from proper security mechanisms such as locks and alarms, cloud computing can be protected by “virtual walls.”
Cloud Security: Encryption and Virtual Walls
Data encryption is the cloud’s recognized best practice of ensuring that the doors between data of separate enterprises are firmly shut and locked. In effect, virtual walls separate each account’s data and unauthorized access to the data is thwarted. Keeping this segmentation and securing the data is very appealing to many organizations which have become more interested in cloud data encryption solutions. Gartner predicts that in 2014, encryption for the cloud will be one of the fastest growing segments of the security market.
Just as there are different types of physical locks (some stronger; some weaker), cloud encryption can be basic or advanced. Most encryption schemes use well known data encryption algorithms such as AES (Advanced Encryption Standard). The most important differentiator between approaches is the way encryption keys are handled.
Cloud Key Management and ownership
When it comes to managing encryption keys, it is all about maintaining ownership. When you use the cloud, you are essentially using infrastructure, platforms and applications owned and managed by someone else. But by keeping the encryption keys to yourself, you keep ownership of your data.
The current state of the art in managing encryption keys is homomorphic split-key encryption. This type of encryption has two core capabilities.
The first capability is split-key encryption. This guarantees that the key to deciphering the data is in your hands because there are two separate keys, and one of them is always in your hands. The other is in the hands of a cloud security provider. This approach is very similar to a bank security or safety deposit box which requires your key and the bank’s key at the same time and same place. Both halves of the key are needed in order to access the data. As long as you keep your key to yourself, hackers or unscrupulous “insiders” will not be able to get their hands on your data.
The second capability is homomorphic key management. This ensures that your key is not exposed even when it is being used to access data. This addresses the question of what happens when you enter your key so as to allow a cloud system to work. In this approach, a mathematical technique is used to keep your key encrypted even while it is being used.
Industries with sensitive data can safely use the cloud.
Some industries, such as healthcare, finance, or legal, are regulated or required by law to protect the privacy of individual citizens. In these industries, it is mission critical to secure data and protect privacy at the highest level possible. Using strong encryption and key management techniques creates the virtual walls an organization needs to run its business securely and efficiently. The benefit is in reducing risk, perceived and real, as well as reducing exposure to liability in the rare event that a breach does occur.
To give you an idea of the value of this approach, the United States Health and Human Services administration accepts encryption as a proper measure taken to protect personal health information and allows a claim of “Safe Harbor.” This means that in the event of a breach, the organization can reasonably claim that the attackers could not have gotten away with readable data, since it was encrypted and you kept the encryption keys in your own hands. This rule allows you to avoid fines as well as loss of reputation.
Writer’s Bio: Gilad Parann-Nissany is the founder and CEO of Porticor Cloud Security. He is a pioneer in the field of cloud computing who has built SaaS clouds, contributed to SAP products and created a cloud operating system. He has written extensively on the importance of cloud encryption and encryption key management for PCI and HIPAA compliance. Gilad can be found on his blog, Twitter, LinkedIn, and Google+ discussing cloud security.