Building Trust in the Cloud
Date: Monday , June 06, 2011
Use of cloud computing continues to grow at a healthy pace. Independent research firm Forrester Research expects the global cloud computing market to reach $241 billion in 2020. There are a ton of articles and resources available on cloud computing, however a lot less is said about “Can the cloud be trusted?” Hence, I would like to rather focus this article on the trust issue with public cloud which is the biggest impediment to public cloud adoption in enterprises.
Cloud Computing and Sensitive Data Despite the accelerating adoption in small and mid markets, cloud adoption is not a slam-dunk for enterprises. They still think long and hard about moving applications and their data to the public cloud from traditional on-premise computing models. Even though the benefits of cloud computing are significant, like the economies of scale, the potential cost savings, fast deployment and easy scalability. So, what is holding up adoption beyond inertia? For many enterprises, the essential questions about security, data privacy and compliance remain unanswered. Enterprises are resisting migrating their applications containing sensitive data, core processes and valuable assets to publicly accessible cloud due to significant concerns with security and compliance, leaving huge untapped potential for further adoption.
Data Security in Cloud A major concern
According to the Goldman Sachs Equity Research Report of 2011, 70 percent of the CIOs surveyed express major concerns about data security in the cloud. Their concerns include loss of transparency and control over business data, where it resides and how it is protected in a given cloud infrastructure. The recent large-scale Epsilon data breach affected over a hundred enterprise clients including BestBuy, Capital One, Ritz-Carlton, JPMorgan Chase, Capital One, Citi and Walgreens, along with tens of millions of consumers. Another recent massive data theft outbreak was reported by Sony, which lost personal and financial information including credit card and date of birth, belonging to more than 100 million users to hackers. Each such data breach incident adds to the concerns about cloud data security.
Specific concerns include:
* Loss of governance: The data is outside IT's direct control, yet its misuse may have significant impact on privacy and intellectual property claims. * Regulatory compliance: Although regulated data may reside in the cloud, the obligation of regulatory compliance still falls with an organization that 'owns' the data than the cloud service provider.
* Lack of transparency: Clouds are not transparent: Rarely do cloud service providers share details on how their services work, which third-party partners are associated with them, location of their data centers and where exactly the data is stored including backups. Enterprises are not able to get enough information about how and when their data is accessed by provider’s users, where it is stored and copied, and when it is purged. Also, there is a risk of provider’s malicious insiders accessing sensitive data. Without transparency, organizations have to take it on faith that their data’s confidentiality and integrity are fully protected.
* Cloud has no borders – but businesses do Data residency (where the data is actually located in a physical sense) raises issues for businesses adopting cloud computing. Your data may not reside within the same country as your business, and privacy laws vary dramatically between countries (and in the U.S., between individual states.) Many European nations do not allow their people’s identity information (names, contact, and other details) to be transmitted outside their country. This has already been a hot issue for multi-national companies even with their internal applications, but it is now exacerbated with cloud computing.
* Data privacy issue Data privacy is a key concern. It is not easy to ensure that the provider's controls over data access would match your own controls. Breach notification is a related concern. Cloud service providers may not observe the same data breach notification rules as your business. If breach notification is not explicitly spelled out in your contract, then you can find yourself in a bind where you are obligated to notify customers of a breach but your cloud provider does not notify you.
An Innovative Approach to Cloud Data Protection
Traditional approaches to encryption fall short
Encryption is a typical solution for data confidentiality and integrity requirements. However, traditional encryption methods (encryption provided by database and storage) that worked well for internal IT, no more work for the cloud applications for the following reasons.
* Encryption keys reside within the cloud provider's infrastructure since database operations such as search, sort, etc. won’t function without having access to the data in clear-text. The sensitive data remain exposed to malicious insiders.
* According to the SANS Institute, a security research and education organization, attacks against web applications constitute 60 percent of the total attack attempts observed on the internet. Encryption at Files and Database levels fails to protect against such web application level attacks, as data is decrypted prior to being presented to the web application.
Ground Breaking Approach As the traditional encryption methods have failed to address complex problems in the evolving cloud environment, select startups are beginning to implement innovative solutions to address this key challenge.
This innovative approach allows enterprises to retain complete control over their data in the cloud by applying strong encryption in real-time before sensitive data leaves the enterprise, using keys that are retained and managed by the enterprise at all times. This ensures that any threats within the cloud providers’ network, OS, database or application layer, and malicious insiders will no longer be a concern for enterprises.
Cloud applications are multi-tenant, as a result of which they cannot be modified for varying enterprise needs. The success of this encryption technology is dependent on protecting data without requiring cloud application changes, or impacting cloud application functionality (searching, sorting, reporting, and more), performance and user experience.
Addressing security, compliance and governance
This novel approach to Cloud Data Protection puts many of the security/governance concerns over cloud adoption, to rest. It addresses each of these concerns in detail. * Governance: Your most sensitive data never leaves the enterprise. You retain control of the data itself and its encryption keys. If the cloud provider is compromised via an application, operating system, database or network attack, or your users' account credentials are stolen, attackers have only the strongly encrypted versions of your sensitive data. * Regulatory compliance: Most regulations such as PCI and HIPAA, require encryption of sensitive data. Privacy breach notifications to customers are not required when the lost data is encrypted. * Transparency: Data remanence and residency concerns are diminished when your most sensitive data never leaves your enterprise. You may not still know exactly where or how the data is stored in the cloud, but as long as the sensitive data is encrypted, it probably does not matter.
Your business retains full control over the enterprise data in the cloud along with the encryption keys. And the sensitive data is encrypted at any point outside your enterprise – in transit, at rest, and during processing within the cloud application.
This revolutionary approach to cloud data protection allows enterprises to accelerate cloud adoption and realize significant benefits of cloud computing.
The author is Founder & CEO of CipherCloud